I have two servers behind a load balancer, with >350 domains pointed to the load balancer’s IP, which are redirected 50/50 to one of two nodes. All management including certbot is to be carried out on node 01.
There is an NFS mount point for /var/www/vhosts and Unison synchronises specified files and directories including all Apache conf files, LE certs and LE http-01 challenge files.
The problem is that I need to run a command to force sync of the challenge files and reload apache on the 02 node between writing the challenge files and requesting authorization from the ACME server. Because if I don’t, only the 01 node has the challenge files and temporary conf edits, and when the auth request comes in via the load balancer, it is sometimes hitting the 02 node and getting a 404.
I haven’t found quite enough documentation on the --deploy-hook option, but I’ve tried pre and post hooks and they don’t work.
I appreciate a DNS challenge might be an alternative but the provider (Gandi) has an enforced minimum TTL and what appears to be slow propagation. I don’t believe I can achieve automation of this without other issues and would like certbot to handle Apache configuration for me, so the http-01 challenge makes sense. Any and all advice appreciated.
My domain is:
maple-motor-services.co.uk
I ran this command:
certbot --expand --reinstall --apache --redirect --non-interactive --preferred-challenges http --deploy-hook “/usr/bin/file_sync.sh && httpd -t && apachectl graceful && ssh -p2020 merr-web-02 apachectl graceful” -d adm02.clients.merrehill.co.uk,c.adm02.clients.merrehill.co.uk,www.adm02.clients.merrehill.co.uk,maple-motor-services.co.uk,c.maple-motor-services.co.uk,www.maple-motor-services.co.uk
It produced this output:
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: c.adm02.clients.merrehill.co.uk
Type: unauthorized
Detail: Invalid response from
[159.253.213.20]: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML
2.0//EN">\n<html><head>\n<title>404 Not
Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"
Domain: www.maple-motor-services.co.uk
Type: unauthorized
Detail: Invalid response from
[159.253.213.20]: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML
2.0//EN">\n<html><head>\n<title>404 Not
Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"
Domain: c.maple-motor-services.co.uk
Type: unauthorized
Detail: Invalid response from
[159.253.213.20]: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML
2.0//EN">\n<html><head>\n<title>404 Not
Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
My web server is (include version):
Apache 2.4.6
The operating system my web server runs on is (include version):
CentOS 7.6.1810
My hosting provider, if applicable, is:
N/A
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Webmin 1.900/Virtualmin 6.06
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you’re using Certbot):
certbot 0.30.2