Automatic renewal of Oracle Cloud Load Balancer SSL Certs with Certbot & Let's Encrypt

Automatic renewal of Oracle Cloud Load Balancer SSL Certs with Certbot & Let's Encrypt

I recently had trouble finding a solution to issue public SSL certs for an OCI Load Balancer with automatic renewal. I was hoping the OCI native Certificates resource would be the answer, but these are untrusted self-signed certs only.

So naturally, I turned to Certbot to see if it could provide an answer, and as it so happens the deploy-hook function combined with Oracle's oci-cli tool makes for a straightforward and effective solution.


Install Packages:

  • python3
  • python3-venv
  • libaugeas0

Create Python VENV:

/usr/bin/python3 -m venv /opt/certbot/
/opt/certbot/bin/pip install --upgrade pip

Install Certbot:

/opt/certbot/bin/pip install certbot

Install OCI-CLI:

According to Oracles Documentation at the time of writing, though best to follow the most recent official installation guide.

bash -c "$(curl -L"

The installation script will walk you through the creation of your configuration file. You will then want to add your API Keys to your selected User in the OCI console:

Identity > Users > User Details > API Keys

Create OCI Load Balancer and Listener:

If you're following this guide, I will assume you already have a Load Balancer resource in OCI. You should create a HTTPS Listener with a Backend Set before proceeding.

The Scripts:

This below command will issue an LE cert for with the SAN using the DNS method, which requires being able to create a TXT record under the authoritative zone for

Complete and save this script as


certbot certonly \
-d, \
--cert-name \
--manual \
--preferred-challenges dns \
--force-renew \
--deploy-hook ./

By using this method, we will not be required to respond to HTTP challenge requests on the local Certbot host, which can become complex when sitting behind a Load Balancer.

(If the DNS method is not an option for you, this guide does a good job at walking through the steps involved in creating the neccessary Listener, Backend Set and Path Route Set)

Certbot will then call a deploy-hook script, which is executed only on successful renewal of certs. The deploy-hook is passed the environment variables $RENEWED_DOMAINS (the certificate CN) and $RENEWED_LINEAGE (the path to the directory containing all cert keys)

Complete and save this script as


oci lb certificate create \
--config-file ./config \
--load-balancer-id <ocid> \
--wait-for-state SUCCEEDED \
--certificate-name "$RENEWED_DOMAINS-"`date +"%Y-%m-%d"` \
--ca-certificate-file "$RENEWED_LINEAGE/fullchain.pem" \
--private-key-file "$RENEWED_LINEAGE/privkey.pem" \
--public-certificate-file "$RENEWED_LINEAGE/cert.pem"

oci lb listener update --force \
--config-file ./config \
--load-balancer-id <ocid> \
--wait-for-state SUCCEEDED \
--listener-name "HTTPS" \
--default-backend-set-name <backend_set> \
--port 443 --protocol HTTPS \
--ssl-certificate-name "$RENEWED_DOMAINS-"`date +"%Y-%m-%d"` \
--hostname-names \[\"$RENEWED_DOMAINS\"\] 

The two steps in this script are:

1) Upload the newly generated cert to the Load Balancer resource

2) Apply the newly generated cert to the Load Balancer Listener

Done! Running will take care of cert renewal, as well as pushing the new certs out to your OCI Load Balancer. This script can be executed by a cronjob every 30 days, or at whatever frequency you wish to renew.

Hope this helped, feel free to send any questions my way if you have run into trouble.

Related Article