Clustered Webservers behind Load Balancer


#1

We are having problems with the web authorisation process because we have multiple web server behind a load balancer.

What would be ideal would be a local authorisation file to be written to disk and the script to pause to allow an advanced used to copy the authorisation file across the cluster. After this the keys and certs would be written locally in an output direct for manual installation by and advanced user.

For us this would allow us to drop the certificates into our AWS ELB autonomously via the Amazon API with an IAM Role.

This would solve a lot of your advanced user issue around authorisation of domains and configuration of clusters,

QUACK!


#2

Hey,

i would appreciate this.

As far as I know the authorization is only valid for the period where the le client asks for it. This is really bad for this type of situation and for example a bad cached DNS Record or something where I need to roll out the files across some large clusters with hundreds of application and web servers. Specific the application type and the folder with the beginning dot is taking me into some trouble with some webhosters and/or filehosters like s3 and CloudFront. You have to upload the files to s3 with the specific content-type and have to wait to be available on all CloudFront Servers. And this with every subdomain and every 3 month :confused:

Big +1


#3

We use https://github.com/diafygi/acme-tiny on a single EC2 instance. The script was modified (one line) so that after the file was written, our own script was called to make the file available on all of the instances (scp the file, put it in a database, whatever works for your system). We are happily generating certs from an instance and uploading to AWS where they can be assigned to the listener on the ELB. Now there is support for verification by DNS, but we still use this method because for some of our domains it is easier to verify on the web.


#4

I had sort of the same issue (round robin dns, nginx), I managed to get it working using sshfs.

I’ve written (roughly) how I did it here: