How to issue certificates for Round Robin DNS setup?

Hi, I'd like to issue a certificate for a few servers in a Round Robin DNS setup. There is no load balancer involved, it's just direct, DNS level load balancing, with A records.

My understanding is that basically only the DNS challenge works, is that correct?

So I'd have a script running once per day, doing the DNS challenge and renewing the certificate if needed. The machine this script runs at doesn't even need any incoming connection if I understand correctly, it could even be a cloud function or a docker image on an unrelated host. Then I'd upload the cert + key into some private storage and the actual HTTP servers would download from this place once per day.

Is this kind of correct?

As an alternative, I've read it here that Stateless mode might be an option:

How would it work in my case? Should I register the account anywhere, even on a dev machine, get this fingerprint and just deploy the servers with this fingerprint hard-coded? Does this never change?

Is there any downside of using fingerprints? I mean it seems so simple compared to anything else.

The DNS challenge may be the easiest way for you to do it. The other possibility would be if you could push the challenge token to all of the servers, so that no matter which one is (or "ones are") hit, it will respond with the right value. But with this method, whatever system is trying to obtain the cert would need to be able to create (and then remove) those challenge tokens from each of the servers in question.

Using DNS validation, what you describe should work.


Just have one of the servers also listen to the hostname where that hostname points to just a single server instead of doing round robin and have the other servers serve the challenge file on that acme host (e.g. using NFS if they're on a secured network or use scp or think of something clever :slight_smile:). And on all the servers you'd redirect every request for /.well-known/acme-challenge/ to

Or even simpler: if a random server does a challenge, simply distribute that challenge over all servers.. That way one of the servers will always answer and do it correctly.

1 Like

Thanks, I'll go with the DNS solution. Do you know if is there any problem from having certs with different issue dates on the different servers? I mean this pushing to the servers can take some time, or might even fail so one server might have the old cert while the other already has the renewed one for some time. Is this a problem?


I wouldn't expect so.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.