Free Consultation

How We Eliminated SSL Costs in OCI LB and API Gateway

When running production workloads on Oracle Cloud Infrastructure (OCI), HTTPS is mandatory.
 OCI provides managed SSL certificates, but once you start scaling across multiple environments, Load Balancers, and API Gateways, SSL costs quietly grow into a recurring expense.

We wanted a solution that was:

  • Secure and production-grade
  • Fully automated
  • Compatible with OCI services
  • Zero cost

Here’s how we achieved ₹0 SSL cost using Let’s Encrypt, while still using OCI Certificate Manager, Load Balancer, and API Gateway

The Key Architectural Insight

A single Let’s Encrypt SSL certificate is imported into OCI Certificate Manager and reused by:

  • OCI Load Balancer (HTTPS listener)
  • OCI API Gateway (custom domain)

This eliminates the need to purchase or manage separate certificates for each service.

One certificate. Multiple services. Zero cost.

Why We Avoided OCI Paid SSL Certificates

OCI-managed certificates come with:

  • Licensing or usage charges
  • Cost per certificate
  • Renewal limitations
  • Higher operational overhead

In environments with:

  • Multiple domains
  • Multiple API Gateways
  • Multiple Load Balancers

SSL expenses increase rapidly.

We needed a simpler and cheaper alternative.

Why Let’s Encrypt?

Let’s Encrypt is a globally trusted Certificate Authority that offers:

  • Free SSL certificates
  • Trusted by all major browsers
  • Secure RSA 2048-bit encryption
  • 90-day validity with automated renewal
  • Seamless integration with OCI

There’s no downside — only savings.

High-Level Architecture Flow
  • Certbot generates SSL certificates on a VM
  • Certificate is imported into OCI Certificate Manager
  • The same certificate is attached to:
    • Load Balancer HTTPS listener
    • API Gateway custom domain
  • Renewal is automated and pushed back to OCI

Once configured, the system runs without manual intervention.

Prerequisites

Before starting, ensure you have:

  • A valid public domain (e.g., test.example.com)
  • Port 80 open for HTTP validation
  • Root or sudo access
  • OCI CLI installed and configured
  • Nginx or Apache installed
  • Internet access
Step 1: Install Certbot 
sudo apt update
sudo apt install certbot python3-certbot-nginx -y
Step 2: Generate SSL Certificate (RSA 2048-bit) 
sudo certbot certonly --nginx -d test.example.com --rsa-key-size 2048

Certificates are stored at:

/etc/letsencrypt/live/test.example.com/

Generated files:

  • cert.pem – SSL certificate
  • chain.pem – Certificate chain
  • privkey.pem – Private key
Step 3: Import Certificate into OCI Certificate Manager

Once imported, this certificate becomes a central SSL asset.

You can now attach the same certificate to:

  • OCI Load Balancer
  • OCI API Gateway custom domain

No duplicate uploads. No extra cost.

Automating Renewal and OCI Updates

Let’s Encrypt certificates expire every 90 days, so automation is critical.

Our automation performs:

  • Certificate renewal
  • Renewal verification
  • OCI certificate update
  • Logging for auditing
Automated Renewal Script 
#!/bin/bash

CERT="/etc/letsencrypt/live/test.example.com/cert.pem"
CHAIN="/etc/letsencrypt/live/test.example.com/chain.pem"
KEY="/etc/letsencrypt/live/test.example.com/privkey.pem"

CERT_OCID="ocid1.certificate.oc1.eu-stockholm-1.xxxxx"

OUTPUT=$(sudo certbot renew 2>&1)

if echo "$OUTPUT" | grep -q "Congratulations"; then
    oci certs-mgmt certificate update-certificate-by-importing-config-details \
      --certificate-id $CERT_OCID \
      --certificate-pem "$(cat $CERT)" \
      --cert-chain-pem "$(cat $CHAIN)" \
      --private-key-pem "$(cat $KEY)"

    echo "$(date) - Certificate renewed and updated in OCI." >> /var/log/ssl_oci_renew.log
else
    echo "$(date) - Certificate not due for renewal." >> /var/log/ssl_oci_renew.log
fi
Scheduling Daily Renewal Check (2:00 AM IST)

Server runs in UTC.

2:00 AM IST = 20:30 UTC (previous day)

sudo crontab -e

30 20 * * * /home/ubuntu/ssl_oci_renew.sh >> /var/log/ssl_oci_renew.log 2>&1

This ensures:

  • Daily renewal checks
  • Automatic OCI updates
  • Zero downtime
  • No manual effort
Final Outcome

With this setup, we achieved:

  •  ₹0 SSL cost
  •  Fully automated certificate renewal
  •  Secure RSA 2048-bit encryption
  •  One certificate reused across Load Balancer and API Gateway
  •  Production-ready reliability
You have reached the end of the page does not signify the end of the journey, but rather the beginning of a new chapter in innovation and perseverance.
Get Free Consultation
Company
Services
Explore
Linkedin Facebook Instagram
© 2026 | iDevOpz. All Rights Reserved.