HAProxy Virtual/Floating IP


#1

Hi,
I am running haproxy on ubuntu server 16.04 using the current version v0.11.1 of certbot. I have configured 2 load balancing servers which share a virtual/floating IP address (used for failover). I am serving content from both these load balancing servers.

To install the cert I am currently disabling the one load balancing server having only the one server bound to my domain name using the virtual ip address. I have eth0 x.x.x.10 and the virtual IP on eth0:0 x.x.x.20 both these ip’s are publicly accessible and mapped to domains eg. one.example.com, virtual.example.com. I use the webroot way of installing the cert. My web server is listening on the virtual IP where it is sharing its content. When I issue the command:

./letsencrypt-auto certonly
–server https://acme-staging.api.letsencrypt.org/directory
–webroot --webroot-path “/usr/share/nginx/html/”
–keep-until-expiring
–text
-vvv
–email xx@example.com
–agree-tos
-d virtual.example.com

The installation fails with the default message: Could not connect to virtual.example.com although doing a nslookup and dig -x on the domain returns the correct details. Also visiting virtual.example.com serves the files from the webroot path.

When I change the -d to one.example.com the installation succeeds. for example

./letsencrypt-auto certonly
–server https://acme-staging.api.letsencrypt.org/directory
–webroot --webroot-path “/usr/share/nginx/html/”
–keep-until-expiring
–text
-vvv
–email xx@example.com
–agree-tos
-d one.example.com

I am curious as to why I cannot generate a certificate using the virtual IP address and its domain name. Have anyone else perhaps experienced this or have a possible solution to this?

Regards


#2

Hi @somejavadev,

Can you do so with curl on the server itself?

Edit: also, could you paste the complete error message from Certbot?


#3

Hi, Thanks for the reply. If I do a curl from one.example.com -> virtual.example.com it returns the content from the files served on one.example.com.

nslookup and dig -x returns the virtual ip and virtual.example.com domain name correctly.

Here is the debug output: https://gist.github.com/somejavadev/4da0bc0544d08746905489371fa59a79


#4

Hi,

We can close this issue, after investigating further it seems that the correct ports from outside of the DMZ was not opened for virtual.example.com but only for one.example.com and two.example.com.

Sorry for the inconvenience.

Regards


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.