One hostname, multiple IPs

Hi there

I’ve a specific use case : my hostname resolve on multiple IPs, each one for an HAProxy with the same configuration. They can come and go. Not that often, but still.

Just in case I tried the dumb way, each proxy grabbing all the certificates. I don’t have that much asking a couple of time for the same cert could do. It failed, the ACME challenge : one proxy requires a certificate, LetsEncrypt check on another, boom.

I see no option in certbot to enforce an IP. So the dumb way is dead I guess. I’m thinking about various solutions, but before that, did I missed a way to do this, an option, an alternative client than certbot, … ?

Hi @rgarrigue

there is no such option.

But you can use another solution.

Sample: Create a new subdomain acme.yourdomainname.com (or another name), then redirects

http://yourdomainname.com/.well-known/acme-challenge/random-filename 

-> 

http://acme.yourdomainname.com/.well-known/acme-challenge/random-filename

then run Certbot with the webroot of acme.yourdomainname.com as authenticator.

Letsencrypt follows port 80 / 443 - redirects to the same or other domains.

So you can use one domain with one ip to create a certificate with a domain name with a lot of ip addresses.

Depends on how good your DNS provider is, you might also be able to use DNS based validations (with API access from your DNS provider). Just ask your DNS provider if they offer API access, and if they do, look for a ACME client that provide support for your DNS provider.

…or consider use of acme-dns, in which case your DNS host doesn’t matter.

All the response are valid, but this acme-dns seems to be exactly my fit : I think in the long run I’ll have an micro server with acme-dns installed, _acme-challenge.my.domain redirected there, and the acme-dns plugin on my proxies.

Thanks all for your help

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.