Renewal with a load balancer


I’ve got some issues setting up the renewal process for a load balanced solution with 2 servers.
Generating the certificate with certbot (w/ Apache) was straight forward for one server but I was not able to do it for the other one. I was getting the error “Incorrect validation certificate for TLS-SNI-01 challenge.”.
To solve that, I just cloned the server who had the protocol set up and I removed the server that was causing trouble.

Now, I’ve got https “running”…that’s awesome but how can I handle the renewal aspect now ?
I cannot run the standard renewal process since I think it will fail for one of the two servers, won’t it ?

How can I solve my problem ?



The TLS-SNI-01 challenge type that the apache plugin uses won’t work reliably in a multi-server environment, because you can’t predict which of the servers will handle the validation request. A better solution would be using the HTTP-01 challenge type with a central validation server (using HTTP 301 redirects), or DNS-01, which would require using an alternative client such as lego or one of the bash clients.

Here’s a short description of the central validation server approach I mentioned, from the Integration Guide.

All of these approaches have one thing in common: distributing the server key and certificate to your servers as well as configuring your web server to use them is something you’ll have to take care of (as opposed to the apache plugin doing it for you).


I was thinking to have a crontab for each of my servers to renew the certificate. I could just set them up at a different time, right ?


The problem is not timing-related, it’s the fact that you don’t know which of your servers is going to receive the validation request. You have two servers and one domain with - I’m assuming - two A records, or a TCP-level load balancer. You don’t know which of your two backend servers is going to receive the validation request that Let’s Encrypt sends out from their backend server, and it will only succeed if it’s the one where you’re currently running the client.


I get your point and I was pretty sure that having two crontabs was not going to work since I was not able to generate two certificates with the same domain name at first. If the creation doesn’t work, I didn’t have high hopes for the renewal.

Basically, the plan would be to let one of the servers master the certificate renewal via its crontab and then somehow “export” (via rsync or I don’t know what yet) it to the other server ? For info, I’m on a “cloud” solution here.


That’s about right. rsync (over ssh) sounds like a good approach here.

If you want to share any additional details about your setup (like what kind of load balancer this is, etc.), it’s possible that someone here has already deployed Let’s Encrypt in a similar environment and might be able to give some additional advice or even some scripts. There’s also a bunch of clients that were made specifically for things like Elastic Load Balancer on AWS (letsencrypt-aws).


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.