Just wanted to get some peoples opinion on how to go about this scenario.
Current setup (on AWS):
Two NGINX Plus instances (not in HA - issues with AWS, so we use Route53 to failover between instances)
Two Application instances.
I’m trying to think of the best way to get Let’s Encrypt to create and distribute the files as needed.
Say we install Let’s Encrypt on NGINX-A, we will need to replicate the Certificates to NGINX-B. That’s okay i can create a cron to SCP the files across.
The main issue i’m facing is using the webroot, NGINX doesn’t have access to the App Server to put the needed verification files.
Also i assume Let’s Encrypt then sends a web request to verify it’s there? And i can’t guarantee the request will always got to APP-A and not APP-B,
I may be over thinking so would appreciate any feedback or if anyone has been able to get it to work in a similar scenario.
This is commonly solved by using a central validation server (e.g. acme-validate.example.com) and having all your web server instances redirect requests for /.well-known/acme-challenge/* to this server (with a regular HTTP 301). The validation server could be running the client in standalone mode, and Let’s Encrypt will happily follow the redirect to that server.
Another option is to use a DNS-based challenge with one of the alternative clients. Lego, for example, comes with a plugin (or provider, as they call it) for Route 53.
Okay, I know this is referring to NGINX, but I’m having the same issue and am looking for I guess the syntax if anyone is familiar, with doing this type of redirect using squid. I’ve very new to squid.