We have a cluster of nodes using LetsEncrypt and the HTTP challenge. They all request their own certificates.
Each node has its own CN, but there is also a common cluster SAN entry added to each CSR.
cluster.example.com: 184.108.40.206, 220.127.116.11
The cluster A record resolves to all the IP addresses in the cluster.
When a node requests a certificate, how does LetsEncrypt choose from the address cluster.example.com resolves to, when it goes to issue a HTTP challenge for cluster.example.com? Or is it random?
I believe it’s completely random… Although it might prefer the first address overall…
But, you should always make the verification token available in all machines… So it would not give any errors when loading the tokens.
If this is hard to synchronize in your configuration, a popular alternative is to create 301 redirects from
/.well-known/acme-challenge on all of the other nodes to
/.well-known/acme-challenge on a single designated node (perhaps via a dedicated subdomain name that only points to that node). The validator will follow this redirect, so that the request would always end up with the designated node that you chose.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.