Advice on using LetsEncrypt in a load balancing setup (SSL passthrough)

Hello, I’m using LetsEncrypt on two servers working behind a load balancer and wanted to ask if the setup I’m using would be stable going forward.

The Load Balancer is set up in SSL pass-through mode. Initially, I had only server 1, whose IP I mapped to the domain and obtained an SSL. Then I created the second server and am syncing the certificate files between them by using lsyncd on /etc/letsencrypt. Finally, I activated the load balancer and switched the DNS records for the domain to point to the load balancer.

It all seems to be working as expected, but I have a nagging suspicion that I might be overlooking something. The biggest question for me is, when it the first server renews its certificate after 30 days, will the second server automatically start using the same certificate? It seems so, and to test that, I issued a new certificate on server 1, after which the files got synced to the second server and the overall setup seems to be working smoothly.

All in all, can I count on this setup going forward, or is there something I should be worried about?

Hi @ankush981,

You didn't say what is the challenge you are using; dns-01 or http-01, if you are using dns-01 there is no problem but if you are using http-01 keep in mind that you could run certbot in server 1 but the load balancer send the request from Let's Encrypt to validate your domain to server 2 so keep that in mind... you could use a redirect rule in your server 2 to point .well-known/acme-challenge/ to your server 1... There are multiple options but it will depend on your infrastructure... anyway, here the simplest method is using dns-01 instead of http-01.

Also, you are using lsyncd to sync the certs between both servers but usually the services using the certificates need a reload or restart to use the new issued certs... I don't know whether lsyncd allows to trigger some action when sync the dirs but if that is not the case, or you create your own script to connect to server 2 and restart/reload your service(s) after the new certs are sync or use another script in server 2 to monitor changes in the cert files to reload your services (the tool I'm talking about is inotifywait (part of inotify-tools).

Cheers,
sahsanu

1 Like

Hi @sahsanu, thanks for the reply! I don’t have much knowledge of the certification process so didn’t mention the type. I now went back and checked that it’s an http-01 challenge. So it means I currently have a risky setup? How do I perform a dns-01 challenge?

As for lsyncd, it’s more than awesome. I’ve verified that it’s able to carry out changes in near real-time (with some settings).

Yes, because you are executing certbot in server 1 and as you re using http-01, the challenges are created in server 1 but when Let's Encrypt tries to validate those challenges, your load balancer could decide to send that request to server 2 and server 2 knows nothing about those challenges so the renewal will fail.

You could sync those challenges between your servers but don't know how fast is lsyncd syncing them... you could create a shared dir so both servers see the same content, you could create a proxy block in your server 2 pointing to server 1 to server the challenges, you could... put here some creative way to do that both servers answer the same challenge when renewing ;).

It will depend if your DNS provider uses some kind of API so you can automate the process. Even if your DNS provider uses an API, you need some script to add/modify/remove txt records for your domain, certbot only support a few providers and plugins can't be installed in an easy way... yet but they will, you could also use lexicon (it supports a lot of DNS providers) and you have an excellent guide to use it with certbot.

That is perfect but, as I said the services using those certificates need to be restarted/reloaded to load the new certificates.

Cheers,
sahsanu

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.