We can't because mail.customer.tld points to a load balanced setup in tcp mode so there's no way to guarantee that all the requests will go to the same background server for every set of validations.
This could be interesting, I will give it a try, thanks!
2 Likes
Well, you could script putting the challenge file on each of the load-balanced servers, or have each of them have a web server configured to respond to all requests for /.well-known/acme-challenge/ with a HTTP redirect to some other server that you can script (like the one running certbot). It may still be easier and less complicated to use DNS authentication for your use case, though.
3 Likes
Validations can last up to 30 days.
Within 30 days, certbot will normally try 60 times.
Even with 5 load balanced hosts, 60 attempts should be more than enough to complete once.
1 Like
You can have everything in /.well-known/acme-challenge redirect (LetsEncrypt's validator will honor that) or proxy within your network onto a single server. Or you can use DNS challenges.
I open-sourced our solution a while back. It's overkill for your needs, but should make sense GitHub - aptise/peter_sslers: or how i stopped worrying and learned to love the ssl certificate
When doing HTTP validation, we typically run a single instance on a given node, and proxy all traffic onto it from the load balancer. Machines in our network query that node's API when they need an existing certificate or need to enroll a new domain. From the vantage point of LetsEncrypt, it's all one machine. Behind our load balancer(s), there could be 2-20 nodes.
3 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.