Hi,
I am running haproxy on ubuntu server 16.04 using the current version v0.11.1 of certbot. I have configured 2 load balancing servers which share a virtual/floating IP address (used for failover). I am serving content from both these load balancing servers.
To install the cert I am currently disabling the one load balancing server having only the one server bound to my domain name using the virtual ip address. I have eth0 x.x.x.10 and the virtual IP on eth0:0 x.x.x.20 both these ip’s are publicly accessible and mapped to domains eg. one.example.com, virtual.example.com. I use the webroot way of installing the cert. My web server is listening on the virtual IP where it is sharing its content. When I issue the command:
./letsencrypt-auto certonly
–server https://acme-staging.api.letsencrypt.org/directory
–webroot --webroot-path “/usr/share/nginx/html/”
–keep-until-expiring
–text
-vvv
–email xx@example.com
–agree-tos
-d virtual.example.com
The installation fails with the default message: Could not connect to virtual.example.com although doing a nslookup and dig -x on the domain returns the correct details. Also visiting virtual.example.com serves the files from the webroot path.
When I change the -d to one.example.com the installation succeeds. for example
./letsencrypt-auto certonly
–server https://acme-staging.api.letsencrypt.org/directory
–webroot --webroot-path “/usr/share/nginx/html/”
–keep-until-expiring
–text
-vvv
–email xx@example.com
–agree-tos
-d one.example.com
I am curious as to why I cannot generate a certificate using the virtual IP address and its domain name. Have anyone else perhaps experienced this or have a possible solution to this?
Regards