I'm also lost on the how one single domain name [an FQDN] is being used to host content by multiple entities presumably at different locations/networks.
I'm understanding:
example.com = IP 0example.com/1 = IP 1example.com/2 = IP 2Which makes no sense to me - outside of IP 0 being the loadbalancer.
And the only one capable of "routing" [via proxy] folders to other IPs.
It could be the load balancers are terminating the TLS connection and indeed are reverse proxying to downstream servers. Not sure how that would include servers from OP and servers from the customers though..
In any case, only the host that's terminating the TLS connection requires a publicly trusted certificate, the rest could be handled by a private CA (if an encrypted connection is required between the reverse proxy and downstream hosts)..
HTTP validation is theoretically simplest, but you would need to sync the http challenge responses or direct all /.well-known/acme-challenge requests to a single validation server (the one running certbot).
The acme-dns idea is probably the simplest for DNS validation on domains you don't control - just getting them to create a CNAME for each domain you need. If you don't want to host your own acme-dns there are hosted variations (yes, I'm biased!) and you can use CAA records to limit issuance to specific ACME accounts (more important when not hosting acme-dns yourself).
I understand that every use-case is unique, and there may be legitimate reasons to believe that this is the best and easiest way to integrate with your customers. That said: please do not do this. It undermines the whole purpose of the Automated Certificate Management Environment (ACME). Please try to take whatever steps are necessary to remove this highly-manual process.
I recommend reading the integration guide and the dns-01 delegation guide. Thanks!
Thank you everyone for your input on this, using a combination of answers this is resolved, using Mike's CNAME, and info from Osiris we're now approaching 95% automation! Jvanasco, your solution is awesome, we're going to look at it in Q2 next year to tie in with some other network changes we're making.
Once again thank you to everyone, you've been extremely helpful, probably one of best communities i've used in years.
Marc
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.