Let´s Encrypt + Load Balance (Force Callback)

leonardoborlot · November 23, 2021, 8:29pm

Hy guys.

I have a infrastructure where I host some site from cliente into a LoadBalancer Cluster.

This Load Balance has 2 servers, Server A and Server B and the Load Balance is from Cloudflare Load Balance.

When I try to generate new SSL Certo from letsencrypt, from Server A, may I recive error becauthe the API return from Load Balance and find the Server B.

When the API Returns from Server A, the cert was created.

How May I force the call back from Server A, every whe I try to create a new Cert?

MikeMcQ · November 23, 2021, 8:44pm

Does Cloudflare offer balancer routing by URL?
If so, just route any /.well-known/acme-challenge url to server A

Or, use the DNS challenge instead of HTTP. Then you don't have to worry about which server responds to the request.
https://eff-certbot.readthedocs.io/en/stable/using.html#dns-plugins
https://certbot-dns-cloudflare.readthedocs.io/en/stable/

leonardoborlot · November 23, 2021, 8:58pm

We have tried the
--chalenge-alias and --domain-alias trying to for the validated one CNAME domain pointed to Server A IP.

But dont work.

jvanasco · November 23, 2021, 9:01pm

repackaging the suggestion above with some details and other options:

ProxyPass all traffic on /.well-known/acme-challenge to a single server. This an be another machine. (Requests on A and B are always served on A or C)
HTTP Redirect all traffic on /.well-known/acme-challenge to a single server. This can be another machine or domain. (Requests for A and B are always served on A or C)
DNS-01 Challenge
Unless you need Publicly Trusted LE Certs as a fallback, CloudFlare offers their own Certs to secure traffic between your servers and their networks. They have 15+ year expiries (vs 90 days)

leonardoborlot · November 23, 2021, 9:06pm

Theres a problem.
Load Balance from Cloud flare is Domain based.
Some clients dont use Cloud Flare, if I tray point a CNAME to From another Nameserver from outside to Cloudflare they return Proibited trafic.

I need an idea to do It without the Clodflare LoadBalance Rules (Proxy off)...

jvanasco · November 23, 2021, 9:18pm

You can place the proxypass or http redirects on the servers themselves.

leonardoborlot · November 23, 2021, 10:22pm

Did has you done this?
I have some dificult to found the route from where the callback come.
This is a http on the port 80? or the callback comes direct from TCP to acme API?

jvanasco · November 24, 2021, 2:19am

Yes. All the time.

With the HTTP-01 challenge, the LetsEncrypt API just needs to connect to your server(s) on Port 80 to prove ownership. The LetsEncrypt server will follow HTTP redirects (e.g. HTTP-301) on the domain your want a certificate for - so you can configure your A and B servers to redirect all traffic under /.well-known/acme-challenge/ to the same path on another domain, like example.com/.well-known/acme-challenge/foo.

LetsEncrypt has no idea about - and doesn't care about - your internal systems. You can configure servers A and B to proxypass the .well-known/acme-challenge directory to another system as well. I prefer that method myself. Under NGINX, the proxypass would simply be:

location  /.well-known/acme-challenge  {
    proxy_set_header  X-Real-IP  $remote_addr;
    proxy_set_header  X-Forwarded-For  $proxy_add_x_forwarded_for;
    proxy_set_header  Host  $host;
    proxy_pass  http://{SERVER}:{PORT};
}

To make this even easier with Certbot, you can use the --http-01-port flag. That will let you run Certbot in a standalone server mode on an alternate port -- such as 8080. LetsEncrypt will not validate a domain on 8080, but in a proxypass situation it only sees and cares about the challenge being served on port 80.

So your setup for example.com could be:

Server A: proxypass challenges to foo.example.com:8080
Server B: proxypass challenges to foo.example.com:8080
Then either machine, or another one, host foo.example.com run Certbot on port 8080, to answer the challenges for example.com

I believe you can also 301 redirect to another port as well, but I've never had to do that so am unsure.

leonardoborlot · November 24, 2021, 3:25am

Nice.

Lets me try it!!
Thanks a lot!!!

rg305 · November 24, 2021, 3:58am

LE will only follow redirects to FQDNs (not IPs) and specifically to ports 80 and 443 ONLY.

Is using DNS-01 authentication not possible?

jvanasco · November 24, 2021, 2:44pm

Thanks for educating us all, @rg305 !

leonardoborlot · November 24, 2021, 3:09pm

We don´t found information about finish the process.
Just find how create one cert manually, but the documentation dont expouse whats to do when the response is any exception...
Theres any documentation to automatize the DNS process?
Or, any documentation to solve the full process?
Because, when we are trying to create, in few times the API reject our request with rate-limit.

rg305 · November 24, 2021, 9:40pm

Firstly, you should do all your testing on the LE staging environment (not LE production environment).
[limits are much higher and you can get to a working solution quicker]
Also, see if there is any way to test the API (add/remove DNS records) independent of any ACME client.

Now to the rest...

What exceptions/errors are you seeing?

There in no single version of DNS implementation (guide).
It depends on the specific DNS Service Provider (DSP) and ACME client used.
Where the ACME client must have a DNS plugin that supports that DSP.
[Otherwise, you must run through the DNS challenge process manually. (not recommended)]

system · December 24, 2021, 9:41pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.