Certbot and external loadbalancer

My cloud provider have a load balancer, which all our requests go to. And that load balancer then redirects the requests to multiple servers.

If I have a server outside of the load balancer I can easily generate the certs with certbot, however when I put it behind the load balancer sometimes the acme-challenge requests goes to other servers underneath the load balancer.

I'm running Ubuntu 22.04 with Nginx, my plan was to redirect all acme challenges on the other servers to the issueing server and then have a cronjob which syncs the cert over the other servers.

Do anyone know of a smooth way to solve this?

You could use dns validation. Or you could set the other servers as reverse proxies for the one on which Certbot is running. Or you could sync the challenge files on all servers, probably using the webroot method.

It's more a matter of what works best for you.

Can't the load balancer terminate the TLS connections?
[that's how Cloudflare does their CDN]

Are they all in the same network/data center/location?
[confused about the word "external" in the topic title]

Yes, sorry. Using external here as in its not a software loadbalancers. Its in the same data center/location/network.

In short: There are no wrong answers/many ways to do this.
So long as it solves your problem, you are comfortable with the solution, and you can troubleshoot it quickly should trouble arise.

And welcome to the LE community forum

Do you know how to do reverse proxies more specificly with nginx?

In short my current steup:
domain.com points to 1.2.3.4

1.2.3.4 is my load balancer redirecting the traffic to: 2.3.4.5 and 3.4.5.6

2.3.4.5 is my issuing server and 3.4.5.6 is the other, this is 3.4.5.6s nginx config file. Meanwhile 2.3.4.5 has the same except the .well-known part.

server {
    listen 80;

    server_name domain.com;

    location / {
        proxy_pass http://127.0.0.1:5555;
    }

    location ^~ /.well-known/acme-challenge {
        proxy_pass http://domain.com;
    }
}

This doesnt work, am I doing something wrong? Feels like I need to specify the specific IP or something in the well-known location?

more like

 location ^~ /.well-known/acme-challenge {
        proxy_pass http://2.3.4.5;
    }

If the two systems can see each other, then update the /etc/hosts file in system two to point to system one [for that domain].
That will force the challenge requests to system one.

That might not be served correctly.
Especially when serving multiple domains.

Otherwise, you can redirect all the challenge requests to some other FQDN that isn't load balanced.

I am not sure. proxy_pass should keep sni untouched.

Why not?
I do it that way [a lot].

It's just a matter of telling the "proxy" where the actual source for that name is at.
You can do that by:

• using internal DNS
• updating the local /etc/hosts file

I mean, they should both work.

third option: nginx could look at server_name (this I really don't know)

I put the IP address there directly because nginx should forward all the sni stuff to the proxied server (right now I don't remember if it does so by default or it needs configuration)

Thanks both of you guys!

It worked out great, I added the domain in the /etc/hosts.

Since the services never talk to the domains themselves it should be more than fine. And there are multiple domains on all servers, this worked for all domains and they now generate it correctly.

Solution:

Nginx config

server {
    listen 80;

    server_name domain.com;

    location / {
        proxy_pass http://127.0.0.1:5555;
    }

    location ^~ /.well-known/acme-challenge {
        proxy_pass http://domain.com;
    }
}

/etc/hosts

2.3.4.5 domain.com

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.