We’re excited to announce that IBM Cloud Certificate Manager now supports the automatic renewal of ordered Let’s Encrypt certificates.
IBM Cloud Certificate Manager helps you to obtain, store, and manage TLS certificates that you use for IBM Cloud deployments or other cloud and on-prem deployments.
Previously, in order to renew an ordered certificate, you had to go through a manual action in the service UI or, alternatively, invoke an API call. With automatic renewal enabled, your ordered certificate is renewed 31 days before it expires. After it’s renewed, you are notified in your configured notification channels so that you can deploy it to your TLS termination endpoint—a Kubernetes cluster or any other application or server that requires it.
Not ready to enable automatic renewal? No problem! You can enable it at any time.
Enabling automatic renewal
Enabling auto-renew is easy—it can be done while you’re ordering or after you’ve ordered a certificate. You can also do so via API.
- To enable automatic renewal while you’re ordering a certificate, enable the toggle in the Automatic certificate renewal box.
- To enable automatic renewal while after you’ve ordered a certificate, click the overflow menu in the certificate’s row. Then, click Enable Auto-renew.
For more information or help getting started, see “Renewing certificates.”
Automating deployments
If you’re looking for an easy way to ensure that you don’t let certificates for your domains lapse, you can configure automatic deployment of your renewed certificates.
If you’re using Ingress through a Kubernetes cluster, try out this sample that uses IBM Cloud Kubernetes Service’s built-in ALB REST API to retrieive and deploy certificates from Certificate Manager as Ingress Secrets, using an IBM Cloud Functions action. You can also use the IBM Cloud CLI as part of a CI system.
Note: The sample is configured for a scenario in which one cluster with an Ingress controller handles one host. If your topology uses more than one cluster and host, be sure to modify the Cloud Function action. If you need to update the Cloud Function action, you can map clusters to certificate CRNs or use a loop to go over each cluster and update the certificates.
For information on configuring other termination endpoints, check out automating deployments.
Feedback and resources
We’d love to hear from you with feedback and questions:
- If you have technical questions about Certificate Manager, post your question on Stack Overflow and tag your question with ibm-certificate-manager.
- For questions about the service and getting started instructions, use the IBM Developer Answers forum. Include the certificate-manager tag.
- Open a support ticket in the IBM Cloud menu.
To learn more about the service and get started, check out the following links:
- Use IBM Cloud Certificate Manager to Obtain Let’s Encrypt TLS Certificates for Your Public Domains
- How to Use Certificate Manager to Avoid Outages Using Callback URLs
- How to Use Certificate Manager to Avoid Outages Using Callback URLs: Part 2
- How to Automate TLS Certificate Rotation to Avoid Outages