2 Pound loadbalancers, one IP address, obtaining certificates for 1 domain

Hi there,

I’m running 2 Pound loadbalancers behind a single IP address (NAT router). One is active and has all the necessary outside ports forwarded to. The second one is running as a standby unit in case the first one quits. When this happens we have to reroute the ports to the seconds server IP address but that’s no problem.

I’ve used this excelent article on how to implement Let’s Encrypt certificates on Pound:

Basically, Pound listens to the incoming data and forwards the traffic with “.well-known” url to the stand alone cert-bot at a different port on the same machine. This works well for the active loadbalancer.

What I want to achieve is the second loadbalancer to actively renew it’s certificate as well. I figured I maybe can expand the ruleset on the active loadbalancer so it reroutes incoming challenges for the second loadbalancer to it’s ip addres.

So from:

ListenHTTP
Service
URL "/.well-known/acme-challenge/.*"
BackEnd
Address 127.0.0.1
Port 8000
End
End

Change to something like:

ListenHTTP
Service
URL "loadbalancer1.fqdn/.well-known/acme-challenge/."
BackEnd
Address loadbalancer1.ip.add.res
Port 8000
End
End
Service
URL "loadbalancer2.fqdn/.well-known/acme-challenge/.
"
BackEnd
Address loadbalancer2.ip.add.res
Port 8000
End
End

And running the following commands:

/certbot-auto certonly --standalone --agree-tos -d {fqdn} --email {emailaddress} --preferred-challenges http --http-01-port 8000 --http-01-address loadbalancer1.fqdn --dry-run

and on the second loadbalancer:

/certbot-auto certonly --standalone --agree-tos -d {fqdn} --email {emailaddress} --preferred-challenges http --http-01-port 8000 --http-01-address loadbalancer2.fqdn --dry-run

domain url and loadbalancers urls are pointing to the same (single) ip address of the NAT router. Loadbalancers have unique names.

But whatever I try, it looks like the received challenge is not accepted:

Domain: domain_url
Type: unauthorized
Detail: Invalid response from
http://domain_url/.well-known/acme-challenge/[edited]
[ip.ad.dr.es]: 503

For those who have kept on reading:

Anyone has ideas? Similar setup?

Thanks,
Edgar

I don’t think you can achieve what you want with anything of that sort.
You must use unique FQDNs to reach the individual load balancers, so that implies that they will never have the same FQDN cert.

Look into DNS authentication or a method of renewing and then copying the cert from the active load balancer to the standby.

That’s correct but I figured each loadbalancer could ask for a second cert which happens to be the same for both and thus ‘share’ it.

Maybe I misunderstand the function of the --http-01-address option. I thought it changed the challenge from the server so it also included the given address. So the local client can answer on that specific URL. Alas.

Looks like I’m going to copy the certs and all related data over to the standby server after each renewal.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.