ZoneHero Documentation

SSL Certificates

SSL Certificates Management

ZoneHero supports TLS for secure connections to your load balancers. This guide explains how to configure and manage SSL certificates for use with ZoneHero.

Certificate Requirements

To support TLS, you must place certificates in an AWS Secrets Manager secret with a path starting with /hlb/ and replicate the secret in every region where the certificate will be used.

The secret must contain 2 key/value pairs:

  • fullchain.pem: Certificate chain
  • privkey.pem: Private key

We strongly recommend using ECC certificates for better performance and cost savings.

Certificate Management

Certificates can be managed and rotated in any way you see fit, although we strongly recommend automating the process. ZoneHero checks for new certificate versions every hour, but a quicker replacement can be performed by creating a secret with a new name and updating the load balancer (this doesn’t require a restart).

Automated Certificate Management with Let’s Encrypt

There’s an easy way to manage ECC certificates with automatic generation from Let’s Encrypt using a Lambda function:

  1. Download the latest release zip from certbot-lambda releases and upload it to an S3 bucket that you own.

  2. Use the example Terraform module to deploy it:

module "certbot" {
  source = "git::https://gitlab.guerraz.net/HLB/hlb-quick-start.git//examples/certbot"

  # Required parameters (if you want to override defaults)
  aws_region             = "eu-west-1"
  certbot_emails         = "your-email@example.com"
  certbot_domains        = "yourdomain.example.com"
  secret_replica_regions = ["eu-west-1", "eu-central-1", "us-east-1"]

  # S3 bucket containing the Lambda zip
  certbot_source_bucket = "your-lambda-bucket"
  certbot_source_key    = "certbot-lambda.zip"

  # Optional parameters with their default values
  lambda_memory         = 256
  lambda_timeout        = 600
  rotation_schedule     = "30"
}

This will automatically:

  • Create and renew Let’s Encrypt certificates
  • Store them in AWS Secrets Manager with the required format
  • Replicate them to all specified regions

Limitations

Please note the following limitations:

  • ZoneHero currently does not support issuing TLS certificates itself (though we plan to add this feature in the future)
  • ZoneHero does not support using AWS ACM issued certificates

Instead, you must use certificates stored in AWS Secrets Manager as described above.

Prev
Right-Sizing Your ZoneHero Deployment
Next
API Key Management