Configuring A Dedicated LetsEncrypt Server to Answer Challenges in Nginx Load Balanced Configuration


#1

Im trying to automate process for auto enrolling and renewing the certificates.

But, i have multiple nginx frontend servers, with multiple public IP for same sites names.

If i try to enrolling certificates by ansible, acme challenge checks only one IP for example site, and enrolling on other frontend servers fails, because site have more one public IP.

What i can to do with that? Its possible or no?

Thanks


#2

@westsouthnight

how is this about client dev? Isn’t this more about server config or help?

what challenge are you trying to use? HTTP, TLS-SNI or DNS?

Is this about installing certificates or passing the challenges?

Andrei


#3

If you can use the HTTP-01 challenge method, corresponding to the webroot method in Certbot, you can configure each machine to redirect http://thatmachine.example.com/.well-known/acme-challenge/ to a central server with a 301 HTTP redirect, and then run your ACME client on the central server to obtain certificates for all of the machines. Other people have used this approach with great success.


#4

@ahaw021

Im about that:

I have a multiple frontend nginx servers with multiple IP. example below

https://toolbox.googleapps.com/apps/dig/#ANY/woinc.space

I run the certbot on each server one same time with command

/opt/certbot-auto/certbot-auto certonly --agree-tos --email ros@woinc.ru --webroot -w /opt/certbot-auto/web -d woinc.space --noninteractive

Certificate successfull issued only for one server from all in one time when i run ansible. In next time may be seccessful has been second server. Its very no stable. I dont unerstand what else i can to do.


#5

@schoen has suggested a solution above. You need to redirect (or proxy if you like) the verification requests to one specific machine. From that one you then push the issued/renewed certificate and do nginx reload with ansible on all your frontend nodes.


#6

@schoen

You may have a better memory than me

In one of the posts you explained (with good samples) how to have a rewrite to a dedicated box on nginx

Tried to do a quick search but couldn’t find it.

can you share it - otherwise I can find it an post it later

Andrei


#7

@ahaw021

Im run my playbook via ansible:

ansible-playbook -i inventories/develop/ cloud_playbooks/certbot-auto.yml

As example, i have DNS name and service on consul.woinc.space

My Nginx Frontend servers have a acme challenges for that domain on each server:

Ansible Inventory location example for consul.woinc.space -

location_consul:
    - location / {
          proxy_pass http://consul_{{ ansible_environment }};
      }
    - location ^~ /.well-known/acme-challenge/ {
          alias /opt/certbot-auto/web/.well-known/acme-challenge/;
      }

I have 5 nginx frontend server with 5 public real records, you can DIG example by link

(dig)[https://toolbox.googleapps.com/apps/dig/#A/consul.woinc.space]

certbot.yml playbook

- name: fact gathering
  hosts: all
  tasks: []
  tags: [get_facts, always]

- name: Update LetsEncrypt Certs
  hosts: nginx-frontend
  serial: 1
  become: true
  roles:
   - certbot-auto

i’m run in role, main task which provide errors for next processing.


- name: Generate Certificates by Certbot
  shell: "{{ certbot_auto_settings.directories.main }}/certbot-auto certonly --agree-tos --email ros@woinc.ru --webroot -w {{ certbot_auto_settings.directories.webdir }} -d {{ item.name | join }} --noninteractive"
  register: certbot_generate_status
  with_items: "{{ pass_dict }}"

Only one server from the list for each domain name correctly completes the certificate issuance process.

As example i have 3 domains

consul.woinc.space
powerdns.woinc.space
cp.woinc.space

and i want to get a certificates for each domain on each server:

  1. Each domain from list nave 5 public IP addresses, which lead to nginx-frontend IPs
  2. Each server from nginx-frontend have available site for each domain and have correct acme (dirs, settings - because settings setup same for all via ansible)
  3. Each server run command to regenerate/renew/issuing a certificate: {{ certbot_auto_settings.directories.main }}/certbot-auto certonly --agree-tos --email ros@woinc.ru --webroot -w {{ certbot_auto_settings.directories.webdir }} -d {{ item.name | join }} --noninteractive

Only one server from list correct the proccess for each domain name.

As example result everytime i see, something like this:

DOMAIN1:
server1 correct done process for domain1
other servers give the errors for this domain

DOMAIN2:
server3 correct done process for domain2
other servers give the errors for this domain

DOMAIN3:
server5 correct done process for domain3
other servers give the errors for this domain

May be possible workaround for this?

I really don’t understand what i need to redirect to “main server”? What a main server? All servers a “main server” with separated acme challenge directory. And if i run my playbook multiple times, other servers done process then in first time run. Every time success result produced on random server. I think its not correct.

Or i need the network share or sync for acmes folders for able all servers have a same acme challenges?

My imho, which certbot provide the request to issue/renew a certificate to acme server, acme server go to DNS lookup the IP for that request and get some IP from list and go to him with acme answer, and as result certbot server and client have requests and answers mismatch.

May be the acme bot which provide the ACME answers for ACME client, can possible to extend feature what can to determinate all public IP of the server and send ACME answer to each Public IP or to needed server.

As example, ssllabs ssl server check, which determinate all public IP for domain and perform check for each IP.

Thanks


#8

If you pick a particular server (that is always guaranteed to exist) as your dedicated ACME authentication server, each individual server can generate an HTTP 301 redirect for any requests for /.well-known/acme-challenge, redirecting those requests to an equivalent location on the ACME authentication server.

Then, a Let’s Encrypt client running on the authentication server can use the webroot method to pass challenges for any other server that has the 301 redirection in place. The certificates will be issued to the authentication server and can then be copied or deployed onto other servers. Many people are using this method successfully today. It requires having the authentication server be persistent and trusted in some ways, and also having the authentication server involved in every certificate issuance event.


#9

The option of running your ACME client directly on each individual server, if multiple servers share the same DNS name, is not really well-supported, unless you script or prepare a way to make all the servers sharing the same name also share their /.well-known/acme-challenge directories.


#10

@schoen yes, you right - i have multiple servers with same DNS names. I need to have shared acme-challenge folder, i understand, go to check that way. Thanks. Im write the result after tests.


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.