DNS challenge for multiple domains behind load balancer

Hi, I know there have been lots of topics regarding this, but I need some guidance
My two domains points to a load balancer, which I don't have access to with ssh, it's provided to me.
The load balancer points to two different servers which I configured with nginx.
I'd like to ask two questions
Can i create a single dns certificate (creating a wildcard) for my two domains (example.it and example.com) and then use the dns challenge to renew certificates?
Would it be best in my case if I just configured my nginx to point to one server for http acme-challenge and then share with a post-hook the certificates to the other server?

Welcome to the forum @tyzion

There is no one right answer as you have probably seen from searching this forum.

Does your Load Balancer terminate TLS for the clients? If so, do you really need TLS between the LB and your servers? Or could a self-signed cert be sufficient for that?

Here is a similar thread in case you have not seen it How to use Let's Encrypt with multiple servers

3 Likes

Hi @MikeMcQ Thank you very much for the prompt response!

I hadn't seen that one, I'll take a look, thanks!

No, I don't think so, but I have to check for it.
Meanwhile, do you know if I can do something like

certbot certonly --preferred-challenges=dns <options> -d www.example.com -d www.example.it

and create a wildcard for both domains?

The fact is that I can't access the load balancer and can't put certs in it.
I think all I have left to do is to use the post-hook to save the certs in the other server

1 Like

You can do that if the authenticator you choose can validate both those domains.

(NB: for "wildcard" we mean a certificate that works for any subdomain of a given domain, not for two different domains. That would not be a wildcard, just a certificate for two domains.)

2 Likes

Hi @9peppe, what do you mean by authenticator?

So, if I manage to make the dns challenge and configure the CNAME in my DNSs, I wouldn't have to use any "authorized" certificate between the load balancer and my server?

That depends on how your load balancer works. There are different options.

1 Like

One thing I can't quite grasp is:

To make a DNS challenge I have to set a CNAME for both my domains, then I would have two different certificates, right?
Also I don't have any mean to configure ssl certificates in the load balancer.
So, wouldn't the DNS challenge be useless in my case?

I can't know if it would be useless or not. (Edit: what I know is that if you don't need a wildcard but just a multi-domain certificate, I would use the http-01 challenge instead.)

But if you get two certificates or just one (valid for both domains names) it's up to you.

2 Likes

Technically, you use a TXT record in the DNS for that challenge. But, as already noted, if you do not need a wildcard then you could also use the HTTP challenge. You should automate whichever method you choose.

Without details of your Load Balancer there is no way to make specific suggestions. You might also try a forum for that LB to see what others do.

3 Likes

@9beppe and @MikeMcQ thanks a lot you guys! Then I'll go with the multi-domain certificates and the HTTP challenge!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.