i can confirm this works.
location ~ /.well-known/acme-challenge/ {
proxy_pass http://ctrl.mydomain.com:80;
}
using nginx i added this location to ALL server blocks.
You then run lets encrypt on the machine ctrl.mydomain.com (this machine typically is the controller machine, and is not serving web stuff - its pure purpose from a web POV is to handle incoming cert requests - if you don’t know what a controller machine is then read up on ansible)
To make it work I had to use the webroot plugin for Let’s Encrypt. I could not get standalone mode to work.
my A records look like …
www01.mydomain.com points to 1.2.3.4
www02.mydomain.com points to 2.3.4.5
ctrl.mydomain.com points to 3.4.5.6
mydomain.com points to 1,2,3,4 and 2,3,4,5 (multiple A records)
www.mydomain.com is an alias (cname) for mydomain.com
NGINX runs on www01 and www02 on port 80 to load balance requests (e.g. www01 load balances between www01 and www02, www02 ALSO load balances between www01 and www02)
the above lets encrypt location block is added to NGINX running on both www01 and www02 for all NGINX server blocks
now run lets encrypt in webroot mode (you will need to standup a web server on your controller machine) and request a single certificate for www01.mydomain.com www02.mydomain.com mydomain.com www.mydomain.com
when you run this command on your controller machine (ctrl.mydomain.com) it will fireoff a request to each of the 4 domains in return. Every single request will be proxied back to ctrl.mydomain.com via NGINX
bosh!
2 tips
1 - to use webroot mode you will need to have a basic web server running on ctrl.domain.com which can serve content from a specified directory
2 - do not use standalone mode, i could not get it to work
3 - this solution sits very nicely if you are using ansible, since the certs will live on the controller machine and can be copied across to all slave machines with a single command