I didn’t specify my configuration precisely because it’s not set in stone and we might change it depending on our requirements or on how LE works. Additionally, we have a few different systems that we need to implement LE on. One might have a reverse proxy that would probably terminate SSL. Another would only proxy requests to backend servers and they would answer to SSL. Then we have another system where we use a reverse proxy that terminates SSL, but we also have a backup (stand-by) reverse proxy (in case the first one dies) and needs to be ready at all times, meaning that it needs to have the certs ready.
That’s why I need to know how LE technically works. I was talking about “backend” servers because this is how it was described in many threads. It’s the actual server that terminates SSL. It might be a reverse proxy, it might be an individual API server, it might be fronted by a reverse proxy that does not terminate SSL, etc. It’s the server that needs to have an SSL certificate installed.
I might be able to create a bunch of network diagrams for all the possible combinations, but it might make more sense to first discuss some details and then I can narrow down on possible solutions and discuss those.
My questions were probably not clear enough. So let’s start with how a certificate is requested and received using the Http-01 challenge. Reading the How It Works page I can see how the agent requests a certificate for a simple set up. For more complex configurations, things get trickier.
This solution proposes passing the challenge HTTP requests from server-A to a central validation server. But how does the solution to the challenge get to the validation server so that it ends up in /.well-known/acme-challenge/*?