Certificate for two servers, foreign IP


#1

Hello world !!!

I am running two servers behind a loadbalancer and I need to create certificates on both.
The problem is, when System1 has an A record, it can create the cert and creation on System2 fails.
Equal problem when System2 has an A record.
if the DNS points to the loadbalancer, cert creation fails on both systems.

Is there a way to create a certificate if the DNS does not point to the creating system ?

If one system fails, the surviving one should be able to create certs. Currently it works only for the system with the A entry. THe other System gives :

- The following errors were reported by the server:
 Domain: <domain.tld>
Type:   unauthorized
Detail: Invalid response from
http://<domain.tld>/.well-known/acme-challenge/r4qrF0y_F9wzQrZqnISQkfc1U9miXRrCeBI_TqLDYAM:
"<!DOCTYPE html>
  <!--[if lt IE 7]> <html lang="es" class="no-js lt-ie9 lt-ie8
lt-ie7">     <![endif]-->   <!--[if IE 7]>    <h"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. 

I ran this command: sudo certbot --dry-run certonly -d <domain.tld> --apache --apache-server-root /etc/httpd/ --apache-vhost-root /etc/httpd/conf.d --apache-le-vhost-ext ‘’ --reinstall --no-redirect

It produced this output: see above

My web server is (include version) : Apache/2.4.6 (Red Hat Enterprise Linux)

The operating system my web server runs on is (include version): Linux 3.10.0-514.el7.x86_64 #1 SMP Wed Oct 19 11:24:13 EDT 2016 x86_64 x86_64 x86_64 GNU/Linux

I can login to a root shell on my machine (yes or no, or I don’t know): yes


#2

Yes, there are a number of ways. One is to use the DNS challenge which involves creating a DNS TXT record rather than a file on the server to prove your control over the domain.

Certbot has plugins to support this challenge with various DNS providers, but I’m not sure what the packaging situation is on RHEL currently. If you can’t find an appropriate plugin you might try a different ACME client, for example acme.sh is famous for supporting many DNS providers’ APIs (though it won’t automatically configure Apache for you like Certbot does).


#3

Thank you jmorahan,

the acme.sh looks good. My DNS provider is listed.
Will test it and leave a reply.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.