Hi there,
I’m running 2 Pound loadbalancers behind a single IP address (NAT router). One is active and has all the necessary outside ports forwarded to. The second one is running as a standby unit in case the first one quits. When this happens we have to reroute the ports to the seconds server IP address but that’s no problem.
I’ve used this excelent article on how to implement Let’s Encrypt certificates on Pound:
Basically, Pound listens to the incoming data and forwards the traffic with “.well-known” url to the stand alone cert-bot at a different port on the same machine. This works well for the active loadbalancer.
What I want to achieve is the second loadbalancer to actively renew it’s certificate as well. I figured I maybe can expand the ruleset on the active loadbalancer so it reroutes incoming challenges for the second loadbalancer to it’s ip addres.
So from:
ListenHTTP
Service
URL "/.well-known/acme-challenge/.*"
BackEnd
Address 127.0.0.1
Port 8000
End
End
Change to something like:
ListenHTTP
Service
URL "loadbalancer1.fqdn/.well-known/acme-challenge/."
BackEnd
Address loadbalancer1.ip.add.res
Port 8000
End
End
Service
URL "loadbalancer2.fqdn/.well-known/acme-challenge/."
BackEnd
Address loadbalancer2.ip.add.res
Port 8000
End
End
And running the following commands:
/certbot-auto certonly --standalone --agree-tos -d {fqdn} --email {emailaddress} --preferred-challenges http --http-01-port 8000 --http-01-address loadbalancer1.fqdn --dry-run
and on the second loadbalancer:
/certbot-auto certonly --standalone --agree-tos -d {fqdn} --email {emailaddress} --preferred-challenges http --http-01-port 8000 --http-01-address loadbalancer2.fqdn --dry-run
domain url and loadbalancers urls are pointing to the same (single) ip address of the NAT router. Loadbalancers have unique names.
But whatever I try, it looks like the received challenge is not accepted:
Domain: domain_url
Type: unauthorized
Detail: Invalid response from
http://domain_url/.well-known/acme-challenge/[edited]
[ip.ad.dr.es]: 503
For those who have kept on reading:
Anyone has ideas? Similar setup?
Thanks,
Edgar