Dual NGINX + Dual Application Servers


#1

Hi All,

Just wanted to get some peoples opinion on how to go about this scenario.

Current setup (on AWS):

  • Two NGINX Plus instances (not in HA - issues with AWS, so we use Route53 to failover between instances)
  • Two Application instances.

I’m trying to think of the best way to get Let’s Encrypt to create and distribute the files as needed.

Say we install Let’s Encrypt on NGINX-A, we will need to replicate the Certificates to NGINX-B. That’s okay i can create a cron to SCP the files across.

The main issue i’m facing is using the webroot, NGINX doesn’t have access to the App Server to put the needed verification files.

Also i assume Let’s Encrypt then sends a web request to verify it’s there? And i can’t guarantee the request will always got to APP-A and not APP-B,

I may be over thinking so would appreciate any feedback or if anyone has been able to get it to work in a similar scenario.

Thanks,
Lee.


#2

This is commonly solved by using a central validation server (e.g. acme-validate.example.com) and having all your web server instances redirect requests for /.well-known/acme-challenge/* to this server (with a regular HTTP 301). The validation server could be running the client in standalone mode, and Let’s Encrypt will happily follow the redirect to that server.

Another option is to use a DNS-based challenge with one of the alternative clients. Lego, for example, comes with a plugin (or provider, as they call it) for Route 53.


Multiple servers in HA
#3

Thank you pfg! Fantastic, was definitely over thinking!


#4

@pfg, that’s a great technique!


#5

Just as an update thanks to advice from @pfg, we have implement this solution :slight_smile:


#6

Okay, I know this is referring to NGINX, but I’m having the same issue and am looking for I guess the syntax if anyone is familiar, with doing this type of redirect using squid. I’ve very new to squid.