Mulitple Webservers (kind of)

SouthwellSchool · August 14, 2017, 2:41am

I have set up letsencrypt using winsimple and all is good. The server which cert is installed on renews without drama.

What I need is to update the cert which was imported to a proxy server that allows in communication.

I see it is possible have it update according to Multiple Webservers

So I was just wondering how we go about doing this in some more detail?

motoko · August 14, 2017, 2:57am

It depends on how you have things set up and what level of configuration you can make. You could try handling the certificate stuff on the proxy. Alternately, if you can point a specific URL path to a single server, you could use the webroot method on that server to get the certificate and then update the proxy server. You could also use the DNS validation method to handle the certificate without needing to adjust the proxy configuration.

SouthwellSchool · August 14, 2017, 3:55am

Thanks Motoko.

All the proxy does is point internal traffic to the right server if the incoming name is valid, to a HTTPS version (hence the reason for cert to be on the proxy)

Which way do you recommend as the best option? and is there some documentation I could refer to?

motoko · August 15, 2017, 10:28pm

Each setup is unique, so there’s not really documentation. Likewise, the best option depends on the situation. Webroot is usually very simple to implement and you don’t need to interrupt or interact with other services to use it. However, in some configurations, it may be impossible to use.

That said, I’m a fan of the webroot method because of its simplicity and recommend trying it first. If you can have the proxy serve a path from local content, you could run certbot on the proxy cleanly. Any other options will involve more complexity in that you’d need to copy certificate files or find a way to modify DNS records.

rg305 · August 15, 2017, 11:27pm

If you could make use of a local global alias on the proxy:
Alias /.well-known/acme-challenge/ /path-to-challenge/
You could catch all auth requests into one folder.
Then also include something like:
ProxyPass /.well-known/acme-challenge !
in the vhost files to NOT proxy the auth challenge requests.

system · September 14, 2017, 11:27pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Lets Encrypt and reverse proxy Help	5	1419	May 3, 2018
Options for renewing certs on a TLS server that proxies to several other servers (round-robin) Server	2	770	November 23, 2018
Multiple servers: what are all the options and requirements to get it working? Help	20	11143	March 13, 2020
Confused re multiple hosts needing SSL Help	15	915	February 4, 2023
Different method to renew certificates that don't include access to the .well-known/acme-challenge directory? Server	5	2442	March 26, 2019

Mulitple Webservers (kind of)

Related topics