Hi all. I’m looking for some generic advice on what the best practice is for using Let’s Encrypt behind a Load Balancer, specifically with numerous Virtual Hosts and Wildcards.
We are hosting all our websites on Rackspace, and using their preconfigured Load Balancer. We have some certs setup for that Load Balancer but they claim there are some limits to how many we can have before having to pay for another Load Balancer ($$). We would much prefer to switch to Let’s Encrypt so that we can begin to give every new client a cert and now have to charge them so much for it.
All the websites are a LAMP stack running domains like https://www.huntsvillecityschools.org/ on each of the servers, and then each of the nodes behind the Load Balancer. Given that we don’t have direct SSH access to the Load Balancer, and only the nodes, how should we handle the situation?
By that I meant that they claim there's an issue with their CA of choice, which I believe is Comodo, so don't know.
What's the difference in terminating at the node? As in, my traffic gets to the Load Balancer as HTTPS, but is then stripped thereafter to HTTP? vs Travelling to each node as HTTPS?
What are the benefits of either? I'm assuming it's easier to just terminate SSL on the LB correct? Is there are a decent tutorial or documentation for this scenario? The only I saw was the Digital Ocean one where they had control over HAProxy.
On one hand, load balancers are no different to web servers. You just configure the LB to treat the acme-challenge URL in a certain way and configure your ACME client to match. On the other hand, managed load balancers can be a little complicated because something external has to coordinate the automated deployment of the certificate to the load balancer.
Probably you don’t want your nodes to have API access to your LB, and the LB doesn’t know how to do Let’s Encrypt on its own.
So you need a third thing which coordinates the deployment of the challenge response (whether HTTP or DNS-based) and then deployment of the resulting certificate to the LB via the Rackspace API.
That’s probably going to be some custom scripting - I don’t see anything online that targets Rackspace’s services specifically.
The issue is... Does rackspace support mutiple certificates per load balancer? (As I understand you are having several nodes behind one single load balancer that process everything... Including TLS termination)
Also, as @_az suggested, this is a complicated process since you would need to request every client to either provide you their DNS API credentials or cname _acme-challenge to your 'validation domain' (which that domain have a API endpoint) since let's encrypt required all wildcard domains to validate through DNS-01 challenges.
The above mentioned part is painful if you have a large amount of domains & want to gave them certificate dedicated to their own domain (not shared with other clients...)
(However.. I do think the painful step is map the certificates to each domain after requesting it...)
Here are a reference to the specific API you'll need to use to map the certificates..