Introduction

In today's digital landscape, securing web applications with SSL/TLS certificates is a fundamental requirement. Let's Encrypt has revolutionized the certificate space by providing free, automated SSL/TLS certificates. Implementing these certificates in load-balanced environments presents unique challenges that require careful planning and implementation.

SFTPPlus MFT simplifies the process of obtaining and installing certificates, making it accessible to everyone. In this article, we will discuss how to configure SFTPPlus to use Let's Encrypt certificates for an HTTP load balanced service.

With SFTPPlus MFT you can implement an HTTPS file transfer service that will seamlessly integrate with SFTP or FTP based file transfers.

Generic image for the article

The Challenge with Load Balanced Environments

Load balanced services distribute traffic across multiple server instances to improve reliability, performance, and scalability. When implementing SSL/TLS certificates in such environments, several challenges emerge:

  • Certificate consistency: All servers must present identical certificates
  • Renewal coordination: Certificate updates must propagate to all nodes
  • Validation complexity: Domain validation when multiple servers handle requests
  • Minimal downtime: Certificate rotation without service interruption

With multiple SFTPPlus MFT instances running as part of a load balancer, you will select one of those instances to act as the controller instance.

This is the only instance for which port 80 is forwarded to and is the only instance that will coordinate the process of validating the domain.

The other instances will sync/get the certifications from the controller instance. This ensures that the certificates are propagated to all nodes, and all nodes present identical certificates. The synchronization is an automated process that happens between the SFTPPlus MFT instances.

Even when the controller instance is offline, the other nodes will continue to operate and establish TLS connections.

The controller will automatically renew and rotate the certificates. The rotation happens while the existing certificates are still valid. There is no downtime involved during the rotation process. Existing connections are not affected and are not disconnected. Existing connections will continue to use the old certificate. Any new connection will use the new certificate.

Replace Certbot usage for non-SFTPPlus 3rd party services

SFTPPlus MFT can be used as a full replacement for the certbot command line tool. There is no need to setup external scripts or cronjobs.

When obtaining or renewing the certificates, SFTPPlus MFT can write the certificates and the private keys as local files. These files can be used by 3rd party services, like for example an HAProxy or Nginx load balancer server.

Conclusion

Implementing Let's Encrypt certificates in load-balanced environments requires thoughtful architecture and automation. With SFTPPlus MFT, by centralizing certificate management organizations can benefit from free, automated SSL/TLS certificates even in complex load-balanced infrastructures.

As web security standards continue to evolve, having a flexible, automated certificate management system ensures your load-balanced services remain secure and compliant with minimal administrative effort.

If you are looking for a way to secure your HTTP load balanced service, using SFTPPlus MFT with Let's Encrypt certificates is a great option.

If you need help deploying Let's Encrypt certificates for your file transfer service, contact the SFTPPlus MFT support team. We are happy to help you get started.