This can become very confusing fast, please read carefully
Domain and IP Addresses are examples.
I am setting up load balancing, I am trying to solve where I have to create many SSL certificates dynamically and will allow me to create a letsencrypt certificate from my main SSL certificate generating server for any domain that is pointed my load balancer.
I have two back end slave servers that both run on NGINX.
SVR1 - 22.33.44.45 ( Main SSL certificate generating server )
SVR2 - 66.33.44.44 ( Where domain is pointed at in this example and has NGINX redirect config for acme-challenges )
On SVR1 I am running
letsencrypt certonly -a webroot --agree-tos --email=myemail@gmail.com --noninteractive --webroot-path=/home/forge/ myproject/public -d blue.com
Example:
I am trying to create a SSL certificate for blue.com which is pointed to SVR2 IP.
I am generating the SSL Certificate from SVR1.
When generating the SSL certificate from SVR1 for the domain thats pointed to SVR2 I get a trip saying
Failed authorization procedure. blue.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Could not connect to 22.33.44.45\n IMPORTANT NOTES:\n - The following errors were reported by the server:\n \n Domain: blue.com\n Type: connection\n Detail: Could not connect to 22.33.44.45\n
The NGINX catch-all site config on SVR2 contains ( This is where its failing )
location /.well-known {
allow all;
return 301 http://22.33.44.45$uri;
}
The NGINX catch-all site config on SVR1 contains
location /.well-known {
allow all;
}
Basically, I am redirecting all challenges for letsencrypt to my selected choice of server that does all my ssl certificate generating.
My assumption is perhaps letsencrypt doesn't account for redirects or doesn't like it when checking for acme-challenges.
I can connect to both SVR1 and SVR2 through my browser, and there is no ip whitelist / blacklist.