0

Does anybody know how to do it? Whether it is possible at all.

I followed this Digital Ocean tutorial which works but lacks the information how to apply this in a real world scenario with more than a single domain and multiple applications.

I know how to generate and renew certificates with certbot. Neither works though when the IP address is going through a load balancer.

Changing each and every IP address from the load balancer to the nginx server, renew and then changing a load of ip addresses back to the load balancer and copy paste the content of the certificates doesn't seem to be practical. Is there a better solution?

Edit. Instead of changing the ip address it is possible to just detach all but one nginx server from the load balancer and then renew on this droplet. However, the certbot needs to be a recent version. With a certbot install from 2016 this did not work.

Additional problem. After attaching the other nginx server back to the load balancer the certificates will have to be copied over manually.

Attaching certificates to the load balancer itself is also a manual task and there can be only one certificate to forward 443 to 80.

Dennis Bauszus
  • 103
  • 5

1 Answers1

3

As pointed out by @ceejayoz

This sort of situation is why Let's Encrypt supports DNS-based challenge/auth

You should use the DNS feature of certbot. This will require that you add a new TXT record to the DNS records that certbot will then validate against. This removes the necessity to send HTTP requests to the load-balanced machines.

Alternatively, you can setup the same challenge on all LB systems so that no matter which host the certbot client checks against, it gets the challenge back. This obviously won't work if your having certbot do standalone mode.

Andrew
  • 2,142
  • 2
  • 19
  • 25