Options for renewing certs on a TLS server that proxies to several other servers (round-robin)


#1

Hi all.

We seem to have worked ourselves into a pickle.

We need to renew a bunch of certs on a proxy where the actual web space is on 5 different servers in a round-robin configuration.

We’re using certbot to do the enewals. However, since we can’t shut the apache server down so we can use the stand-alone method, we have to use the manual method. But since the the actual web space resides on any of 5 different servers, we can’t complete the challenge/responce… without copying the challenge to every server…

More detail at: https://paste.ee/p/uDAIY

So, I’m looking at options:

  1. A renewal client that can bind to a port other than 443 in order to do a stand-alone C/R.

  2. I could set up a configuration on each of our proxies that server /.well-known/* from the local file system. Then the certbot could use a single directory as the webroot for every fqdn.

  3. Other options…

So, what would you recommend?

TIA,
Mike.


#2

#1 is not really an option - challenges can only be performed on ports 80 and 443, and you should keep port 80 open for serving redirects.

Personally I would probably do #2.

If your DNS provider has a supported API for performing updates, you could use the DNS challenge which might be easier in that case. Or if not, you could try setting up acme-dns (though that’s less likely to be easy).

Other options… you could use the manual method and use the --manual-auth-hook / --manual-cleanup-hook options to provide scripts to automatically copy the challenge files to the web servers. Or mount a shared filesystem and serve the challenge files from there.