Letsencrypt certificates on API endpoint

Hi all,

I’m about to start production on a balena based hardware project, with devices that need to be ‘in the wild’ for years without any physical maintenance from my side.

My devices connect to an HTTPS endpoint on my server which is secured with an SSL certificate that I have to manually update each year. I’d like to move it to a Letsencrypt certificate, but I’m not sure whether this will cause issues. I can see on some other websites that I host that the root CA certificate for these Letsencrypt certificates is pretty short-lived (it expires within a year from now), while my purchased certificates have a CA that expires in 2038.

Will using Letsencrypt on my API endpoint cause issues with my balena devices not trusting the CA when the current one expires and it switches to a newer one?


Hi Marten,
If I understand correctly what you are doing, you will not have problems since balena is using its own security for communication between the balena Supervisor and balenaCloud. This communication will not interfere with your logic in your application containers, be it for security or for data. balena will keep its communication channel and your application will keep yours.
Good luck with your project!

Hi @rmorillo24,

The communication with balenaCloud is not what I’m worried about. My question is more about how the OS handles CA certificates. Are CA certificates installed in the OS or are they part of the balenalib containers? And will Letsencrypt certificates stop working in my applications once they are refreshed or is there something I’m missing?


Ok, I see now Marten,
To use certificates within your applications, you can use the environment variables in each device. Your application will then have to load them from there to use them.
As you can see, you will have to update this certificate by changing the value of these variables, using the dashboard, CLI or API. Balena will not check validity then, since they are just your variables.

Thanks but that’s still not quite what I mean, although it could be a solution :slight_smile:

The issue is this: my endpoint will be using certificates signed by Letsencrypt’s intermediate certificate, signed by a globally trusted CA. From what I understand, ‘globally’ trusted CAs are installed by default somewhere in the OS or in the containers (I think on debian it’s the ca-certificates package, but I’m not sure how it’s done in the balenalib images).

This is fine, but I think it could create a problem when the endpoint starts using a new certificate, signed by a CA that wasn’t included in the trust store because it didn’t exist yet when the OS/image was built.

My question is whether my thinking is correct, or that I’m missing something that means this would never happen (or wouldn’t happen in the foreseeable future).


Hi there, as long as you rebuild your image(s) and update the certificates package, you should be OK. We update the hostOS in the same way, when we re lease new versions.