How to configure Let's Encrypt on Floating IP


I have the following configuration

| HA-1 Server-1 |
| -----> |

HA-2 Server-2

Where HA-1 and HA-2 are machines running HA proxy and Server-1 and Server-2 are instance of my application. Now I want to configure let’s encrypt on Server-1 and Server-2 but since they are tightly coupled with HA’s and no outside and public connection is not allowed as per my current flow it’s only through a floating IP via HA-1 or HA-2 to Server-1 or Server-2 . How can I get this done?

Hope you got my question.
Any help will be appreciated.


there are a few ways you can do this shared in the archives here.

the easiest i’ve seen is to do this:

  1. run certbot on Server1.
  2. configure both Server1 and Server2 to serve the /.well-known directory from Server-1 (either via webserver or a local NFS mount)
  3. rsync/whatever the certificate from Server1 to Server2.

however, it would probably make more sense to eliminate the app servers and terminate on the ha-proxy machines:

  1. run certbot on HA-1
  2. configure both HA-1 and HA-2 to proxy the /well-known directory off HA-1
  3. copy the cert from HA-1 to HA-2

you only have to serve the .well-known challenge during the authentication (issue and renew); it’s just a few seconds of uptime that is needed. we use nginx and have file based semaphores that enable/disable the routes as needed. (ie, if we’re not updating a cert, the /.well-known route does not exist)


…or use an alternate client supporting the DNS challenge.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.