Ubuntu load-balanced server

Hi!

I just found the Let’s Encrypt project and i’m loving it!

I am running into a problem with one of my setups.

This setup has two servers for the same domain, so I will need two certificates to use HTTP/2.

I was able to register the first Let’s Encrypt certificate with no problem.

The second server is attempting to validate by resolving to the wrong ip address.

What I am trying to do is use the ACME Challenge to redirect the request to the other server.

Is this the correct way register two certificates for the same domain on two different servers?

Here is what i’ve tried and done so far:

SERVER A:

My letsencrypt file directory is at /home/ubuntu/letsencrypt/

In apache2.conf I have added

Alias /.well-known/acme-challenge /home/ubuntu/letsencrypt/
<Directory /home/ubuntu/letsencrypt/>
Options Indexes FollowSymLinks
AllowOverride All
Require all granted

SERVER B:

This server has a valid certificate.

I am 301 redirecting all /.well-known/acme-challenge/ requests to SERVER A

This 301 redirect instead of to the domain, I am redirecting to the ip address. If I redirected to the domain, it would cause a redirect loop.

When I visit the link’s that are attempted by the ACME Challenge, they are 404 not found.

I am also seeing this after trying letsencrypt

Domain: domain.com
Type: connection
Detail: Could not connect to
http://domain.com/.well-known/acme-challenge/pDWKvtPYS13x2WecHlsE-b5TJmIa1NfHLNE_mz5w48Y

Here is the letsencrypt line I am typing:

sudo ./letsencrypt-auto certonly --agree-tos --redirect --duplicate --text --email email@domain.com -d mydomain.com

Selecting 2 for webroot directory

Selecting 1 for new webroot

Entering /home/ubuntu/letsencrypt/ for my webroot

I think the issue is with the /.well-known directory and doing a search for that path finds nothing on my system.

What am I doing wrong and how can I get this to work?

Correct me if I’m wrong, but wouldn’t it be easier to mirror (using rsync or something) your key, cert and chains? I mean, to the outside world, whether they arrive at server A or server B is irrelevant, they’ll see the same site, right?

(Keep in mind, your letsencrypt directory contains symlinks, so use the right rsync flags!)

Hi DarkSteve,

That sounds easier. Yes they are the same sites with the same files and same domains. Do the cert files work the same on each server? I thought I had to generate an unique certificate on each of the servers. If I generate it on the main one and push to the others, that works?

Certificates are not server bound. Only domain name(s) bound so to say. And of course, the private key has to correspond with the public key in the certificate

But using rsync (in a secure fashion if there's any chance of a MitM) or something like that will work like a charm

I will see about doing the rsync method. Right now I am not even sure where to begin (permission denied trying to access the directory). Chmod? But i’m just guessing and I don’t want to mess everything up.

I would need to copy /etc/letsencrypt/live/domain/fullchain.pem
and
/etc/letsencrypt/live/domain.com/privkey.pem
?

Am I anywhere close on the original method I posted?

I am not to great on ubuntu and think if I can get that method to work it may be smoother and easier. I have already gotten everything to redirect, but it looks like I am having trouble with the 404 not found error.

Is there another specific directory I should be using for the alias?

I also see a /opt/letsencrypt/
/home/ubuntu/letencrypt/

Thanks for all of your help!

Nope, as Osiris says, the certificate needs to match the domain, that's all. It's also why you'll get an error if you try to connect to the site via IP address instead of domain.

I only suggested rsync because I know it can communicate securely (encrypted connection between the servers) and because it has the appropriate flags to preserve symlinks. Use whatever you're comfortable with, but I used rsync to transfer my letsencrypt directory when I built my replacement server, so I know it works

[quote=“steve420, post:5, topic:18989”]
I am not to great on ubuntu[/quote]

Neither am I! I haven’t used linux since 2004 (I’m a FreeBSD fanboy )

[quote=“steve420, post:5, topic:18989”]
I would need to copy /etc/letsencrypt/live/domain/fullchain.pem
and
/etc/letsencrypt/live/domain.com/privkey.pem?[/quote]
Yes, that sounds right. They’re the only two I’m using in my Apache config.

If you’re more comfortable using your original method (and you can get it working), go for it. It just looks like that’s an extra step for things to go wrong (e.g. client versions get out of sync, or redirecting acme challenges). I like simple, I somehow always find a way for complex solutions to go wrong.

Hi DarkSteve,

I think this method may be easier for the setup that I have. What I was going to do to avoid getting our of sync etc. is rotate every week.

Week 1 my script will redirect from script A to script B, Week 2 my script will redirect for Script B to Script A. I currently use 1 script for all of the files and the redirecting is quite easy to implement.

I should be able to run a cron job bi-weekly and allow each instance to update correct, that’s the plan

I will be looking for how to make the http://domain.com/.well-known/acme-challenge/pDWKvtPYS13x2WecHlsE-b5TJmIa1NfHLNE_mz5w48Y request not a 404.

I wish there was a specific directory I could set for these requests like /home/ubuntu/letsencrypt/.well-known/ ?

Thanks for all of your help!

I was able to copy the files located in /ets/letsencrypt/live/domain/

If anybody else has problems, you must type sudo su to become root before copying. It's not file permissions.

After that everything went smooth. I am now working on the rsync solution to get this auto.

Thanks for all of your help!

Excellent, I’m glad it worked

I’m on FreeBSD, so I use my system a bit different to you. I was hesitant to give too finer grained detail of what I did in case there were unexpected differences (e.g. I didn’t know you needed to “sudo” the su command - weird!)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.