Update Free SSL Certificates for the OCI Load Balancer
In my previous blog post on Running ORDS Against the Autonomous Database - Part 2, we had looked at how to add an existing Let's Encrypt (LE) SSL certificate to an Oracle Cloud Infrastructure (OCI) Load Balancer. You'd typically wwant to host your websites or Oracle Application Express applications over a secure transport layer, especially when sensitive data is communicated between the browser and server.
Typically, I'd run scripts on the web server to generate and renew certificates using Certbot, since it would be easy enough to point the web server configuration to use the generated artifacts, as well as to perform service restarts. However, with the load balancer, this becomes more challenging. It doesn't help that LE certificates expire every 90 days.
I've found it most reliable to run certbot from within a Docker to avoid any dependency issues and you can quite easily get the published image on Docker Hub including some with plugins to work directly with DNS services like Cloudflare. These are important if you wanted to obtain wildcard certificates that requires a different challenge process.
Once the certificates have been generated, they would have to be deployed to the OCI load balancer and assigned to the active listener that supports HTTPS requests. You could do this manually through the OCI console, but it is a mundane and routine task that is prone to neglect, so I had to figure out a way to automate this part of the process.
On the web server, Certbot is usually called by a cron job once a day. It checks if a certificate is expiring and will initiate the renewal process if it is. It also has hooks that allow you to execute external scripts. For example, after a certificate is successfully generated or renewed, a post-hook could be used to restart a web server.
Using the Certbot hooks and the OCI CLI, I created a Docker image that encapsulates both pieces of software, and then have them work together to perform both tasks in concert. You can find the code here. The documentation is a little rough and lengthy, so I will leave you to read the steps described in the README file.
Hope this helps you maintain and secure your web applications!
Photo CreditsPhoto by Schluesseldienst License: Pixabay