How to Manually Renew Let's Encrypt SSL Certificates for Dev Domains

Maintainers: DevOps / SPM Team
Applies to: All *.dev.teamops.de (and other VPN-protected dev domains)

Background

All dev environments are hosted behind a VPN.
Because of this, Let's Encrypt’s HTTP-01 validation cannot be performed automatically — the validation servers cannot reach internal endpoints.

As a result, SSL certificates for all dev domains must be renewed manually approximately every 3 months.

This document explains the manual renewal process step by step.

When to Perform Renewal

You need to perform a renewal when:

  • The SSL certificate for a dev domain has expired or is about to expire.

  • Monitoring or team members report certificate errors (e.g., for https://landing-cms-dev.teamops.de/de/).

  • The quarterly renewal schedule is reached (every ~3 months).

Renewal Procedure
1. Switch DNS CNAME Record (Internal → External)

Since the validation must be accessible externally, start by switching the DNS record in Cloudflare.

  • Open the DNS dashboard for teamops.de.

  • Find the record for the dev domain (e.g. dev.teamops.de).

  • Change the CNAME target from the internal ELB to the external ELB.

Type

Name

From (Internal)

To (External)

CNAME

dev.teamops.de

dev-ingress-internal-x.elb.eu-central-1.amazonaws.com

dev-ingress-external-x.elb.eu-central-1.amazonaws.com

💡 This step makes the domain publicly reachable so Let's Encrypt can validate ownership and issue a new certificate.

2. Recreate Certificates in the Dev Cluster

Once DNS has propagated (usually takes 1–2 minutes), delete existing certificates in the dev cluster to trigger re-issuance.

Run the following command:

kubectl delete -n dev certificate \
  letsencrypt-api-dev-cert \
  letsencrypt-dev-cert \
  letsencrypt-maild-dev-cert \
  letsencrypt-pdf-dev-cert \
  landing-cms-dev-certificate-cms

This forces cert-manager to contact Let's Encrypt and recreate the certificates.

3. Verify Renewal

Wait about 2–3 minutes, then verify that all dev domains now have valid SSL certificates:

openssl s_client -connect landing-cms-dev.teamops.de:443 -showcerts

or simply open the URLs in a browser to confirm that the SSL status is valid and not expired.

4. Switch DNS Back (External → Internal)

Once renewal is confirmed, restore the original internal DNS target in Cloudflare:

Type

Name

From (External)

To (Internal)

CNAME

dev.teamops.de

dev-ingress-external-x.elb.eu-central-1.amazonaws.com

dev-ingress-internal-x.elb.eu-central-1.amazonaws.com

This ensures all traffic continues to flow through the internal VPN-based infrastructure.

Example: landing-cms-dev.teamops.de

Actions performed by: Tigran
Date: October 2025

  1. Switched DNS from internal → external.

  2. Deleted existing certs in dev cluster.

  3. Waited ~3 minutes, confirmed certificate renewal.

  4. Switched DNS back to internal.

Result: SSL certificate successfully renewed and system restored.