0

so currently we are running a sort of "partial DNS round robin" setup.

We use 3 different NGINX web servers with a bunch of domains, however 6 of those domains are setup so they point to the IP of all 3 web servers.

So my first issue was making Certbot work when creating certificates in round robin (since ACME challenge could hit a web server that didn't host the challenge file, which resulted in failure). I've solved that by creating redirects for ACME challenges to a single web server which acts as an "authenticator".

Now my question is, since now there are 2 separate certificate files in play... One for the domains that are not in the DNS round robin (certs that each webserver creates for the domains hosted on it) and then the cert file that "authenticator server" creates, which includes all of the round robin domains... What would be simplest solution to distribute these certs to other web servers?

Could I just copy the round robin cert to the other web servers and manually merge it with the existing ones? Say something like copy the contents of "fullchain.pem" and "privkey.pem" into existing ones, pretty much merging them?

mar91
  • 73
  • 6
  • "What would be simplest solution to distribute these certs to other web servers?" There is technically no obligation to use the same certificate on all servers. Each one can have its own certificate. Doing so removes the need to deploy certificates and keys everywhere. Other than that your question is offtopic here as not related to programming. – Patrick Mevzek Jan 24 '22 at 20:50
  • @PatrickMevzek the problem is, LetsEncrypt will challenge the server ip the DNS returns which in a round robin scenario may not be the same server. If LetsEncypt were to look at all the DNS A records, then challenge the requesting server, there wouldn't be a problem. – FlappySocks Jul 22 '22 at 02:38
  • When a browser connects, if it gets multiple IP addresses, it does not look at all of them but pick one, tries to connect, and go back to others only in kind of errors. So same logic applies here. But the validation can happen "elsewhere". You have two options: at the DNS level you can CNAME `_acme-challenge` to another name, which has only one IP. OR at the HTTP level, you redirect `.well-known` from all servers only to one given separate servers. Then you solve the problem on having things on all servers. The other solutions is to let each server with its own certificate. – Patrick Mevzek Jul 22 '22 at 13:46

0 Answers0