I’ve read a lot of threads here and on Stack Overflow to figure out how to do multiple-server Let’s Encrypt configuration. I’d like to know all the possible ways of doing this and more importantly, what the requirements to get it working are. Note that I’d like to avoid any automagic from Let’s Encrypt as I’d like to have it working for multiple configurations. I’ve decided to not go with the DNS challenge for security reasons and instead only do the Http-01 challenge.
- Does the DNS need to point to all backend servers? E.g. an A record with all the IPs of all the backend servers? I’m guessing no.
- Does the requesting server need to handle the challenge completely? I see a lot of solutions like “backend server requests renewal but proxies the Http-01 challenge to a special cert server”. But how does the cert server know how to answer the challenge? The docs say that the ACME client tells LE that it’s ready, but if you have separate clients on the backend and the cert servers, then the cert server is not ready?
Correct me where I’m wrong and add other options where possible.
- Backend servers proxy to a central server.
You have a special server, e.g. cert.site.com, that handles all the certificate requests, discussed here. Does the backend server here request the certificate renewal or does it only proxy the requests to the central server? Is the final certificate saved on the backend server or the central server?
- Have a central server manage everything. This means that one server does all the back-and-forth with Let’s Encrypt, gets all the certs, distributes the certificate to all the backend servers and triggers web server restarts on all the backend servers.
- Have only backend servers and they manage the certificates for themselves. Each server requests a cert, so might be problematic for LE’s rate limits.
The Http-01 challenge
The challenge docs say that the client puts a file at
http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>. Obviously, the client doesn’t put it on
http, but on disk. But does that mean that the challenge happens using a domain and not IP of the requesting server? How does this backend server make sure that all the servers on this domain can answer the challenge? I’m assuming there’s a private key of the requesting server at play, but other servers will have different private keys, so they can’t answer the challenge?