How to configure Let's Encrypt on Floating IP


#1

I have the following configuration


| HA-1 Server-1 |
| -----> |

HA-2 Server-2

Where HA-1 and HA-2 are machines running HA proxy and Server-1 and Server-2 are instance of my application. Now I want to configure let’s encrypt on Server-1 and Server-2 but since they are tightly coupled with HA’s and no outside and public connection is not allowed as per my current flow it’s only through a floating IP via HA-1 or HA-2 to Server-1 or Server-2 . How can I get this done?

Hope you got my question.
Any help will be appreciated.


#2

there are a few ways you can do this shared in the archives here.

the easiest i’ve seen is to do this:

  1. run certbot on Server1.
  2. configure both Server1 and Server2 to serve the /.well-known directory from Server-1 (either via webserver or a local NFS mount)
  3. rsync/whatever the certificate from Server1 to Server2.

however, it would probably make more sense to eliminate the app servers and terminate on the ha-proxy machines:

  1. run certbot on HA-1
  2. configure both HA-1 and HA-2 to proxy the /well-known directory off HA-1
  3. copy the cert from HA-1 to HA-2

you only have to serve the .well-known challenge during the authentication (issue and renew); it’s just a few seconds of uptime that is needed. we use nginx and have file based semaphores that enable/disable the routes as needed. (ie, if we’re not updating a cert, the /.well-known route does not exist)


#3

…or use an alternate client supporting the DNS challenge.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.