Wildcards Behind a Load Balancer


#1

Hi all. I’m looking for some generic advice on what the best practice is for using Let’s Encrypt behind a Load Balancer, specifically with numerous Virtual Hosts and Wildcards.

We are hosting all our websites on Rackspace, and using their preconfigured Load Balancer. We have some certs setup for that Load Balancer but they claim there are some limits to how many we can have before having to pay for another Load Balancer ($$). We would much prefer to switch to Let’s Encrypt so that we can begin to give every new client a cert and now have to charge them so much for it.

All the websites are a LAMP stack running domains like https://www.huntsvillecityschools.org/ on each of the servers, and then each of the nodes behind the Load Balancer. Given that we don’t have direct SSH access to the Load Balancer, and only the nodes, how should we handle the situation?

Thanks.


#2

Sounds like you would still have that problem even if you used Let’s Encrypt?

Do you mean perhaps that you want to terminate SSL on your nodes instead of the load balancer?


#3

By that I meant that they claim there’s an issue with their CA of choice, which I believe is Comodo, so don’t know.

What’s the difference in terminating at the node? As in, my traffic gets to the Load Balancer as HTTPS, but is then stripped thereafter to HTTP? vs Travelling to each node as HTTPS?

What are the benefits of either? I’m assuming it’s easier to just terminate SSL on the LB correct? Is there are a decent tutorial or documentation for this scenario? The only I saw was the Digital Ocean one where they had control over HAProxy.


#4

On one hand, load balancers are no different to web servers. You just configure the LB to treat the acme-challenge URL in a certain way and configure your ACME client to match. On the other hand, managed load balancers can be a little complicated because something external has to coordinate the automated deployment of the certificate to the load balancer.

Probably you don’t want your nodes to have API access to your LB, and the LB doesn’t know how to do Let’s Encrypt on its own.

So you need a third thing which coordinates the deployment of the challenge response (whether HTTP or DNS-based) and then deployment of the resulting certificate to the LB via the Rackspace API.

That’s probably going to be some custom scripting - I don’t see anything online that targets Rackspace’s services specifically.


#5

I also found this in their docs:

By default, a load balancer supports a maximum of 20 certificate mappings.

This limitation is independent of which CA you use, so if you have more sites than that, then you should reconsider your use of the managed LB!


#6

Hi,

The issue is… Does rackspace support mutiple certificates per load balancer? (As I understand you are having several nodes behind one single load balancer that process everything… Including TLS termination)

Also, as @_az suggested, this is a complicated process since you would need to request every client to either provide you their DNS API credentials or cname _acme-challenge to your ‘validation domain’ (which that domain have a API endpoint) since let’s encrypt required all wildcard domains to validate through DNS-01 challenges.

The above mentioned part is painful if you have a large amount of domains & want to gave them certificate dedicated to their own domain (not shared with other clients…)

(However… I do think the painful step is map the certificates to each domain after requesting it…)
Here are a reference to the specific API you’ll need to use to map the certificates…

Thank you


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.