We seem to have worked ourselves into a pickle.
We need to renew a bunch of certs on a proxy where the actual web space is on 5 different servers in a round-robin configuration.
We’re using certbot to do the enewals. However, since we can’t shut the apache server down so we can use the stand-alone method, we have to use the manual method. But since the the actual web space resides on any of 5 different servers, we can’t complete the challenge/responce… without copying the challenge to every server…
More detail at: https://paste.ee/p/uDAIY
So, I’m looking at options:
A renewal client that can bind to a port other than 443 in order to do a stand-alone C/R.
I could set up a configuration on each of our proxies that server /.well-known/* from the local file system. Then the certbot could use a single directory as the webroot for every fqdn.
So, what would you recommend?