Letsencrypt and Anycast


I am trying to determine if there is a best practice in place for using letsencrypt with a load balanced IP address(anycast).

At this point I will say that I haven’t yet setup the servers and may not do so however I would like to
understand the best method for using letsencrypt in this type of infrastructure.

As standard when I generate SSL certificates I generally use webroot.

The issue as I see it using webroot is that it will create the well-known file on the server I am on however this server may be one of many that the DNS entries will resolve to when using an anycast address.

In an ideal world I would like a method of synchronising the well-know files with all the other servers prior to letsencrypts servers verifying the content. Is this something that is possible with webroot?

Looking at the documentation manual mode allows scripts to be called prior to the authentication, would this be the better mode to use?

Has anyone used letsencrypt on an anycast system and can share some advice?




In this case you have two options.

  1. If you have control over the DNS you can use it for the validation. There are some projects on GitHub for the most used DNS systems. So you can automate it.

  2. You can redirect the request to a central validation server. I tested it with two redirects.

abc.xyz/.well-known/acme-challenge/xyz - > validation-letsencrypt.abcdef.xyz - > abcxyz.s3.amazonaws.com/.well-known/acme-challenge/xyz

Just temp redirect the acme folder to the specific endpoint.

Hope that helps.

Hello Knight,

Thank you for that, I have just read a bit on the DNS validation, this looks like it could work but will be a bit of a hassle to setup.

If Letsencrypt doesn’t mind redirects then this would seem like the easier option, I can get all of the servers redirecting to my location with a script easily enough.

I will give this a try, it should be a nice simple automated way of handling load balanced servers.



Hi @robward,

For HTTP-01 validations, the certificate authority does follow redirects encountered as part of the validation, so you can also tell every host to redirect http://example.com/.well-known/acme-challenge/anything to http://acme-validation.example.com/.well-known/acme-challenge/anything, and then run the client on a machine that has a webroot directory for http://acme-validation.example.com/. Other people have used this approach successfully in the past.

Hello @schoen

Thanks, This sounds like a good approach for my usecase and avoids the hassle of DNS entries.

Thanks for your help.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.