Let's encrypt and 2 (or more) servers

July 10, 2018

Purpose

As a DevOps, I use many times let's encrypt certificates for free and secure HTTPS. With a little experience it is very easy to install and have an automatic renew. Most of the time I use them with NGinx. Recently, I wanted to build a cluster behind the same domain and I had some difficulties. Here is my solution.

Context

I am starting my own business (stay tuned !). We need a simple cluster of servers. No loadbalacing, only a simple failover. To do it, multiple DNS A records works. Because we built our own client (not a web browser) we can use this simple trick.

But we need HTTPS on both servers, with the same certificate on 2 servers.

Problem

After a few weeks, we had random errors on certificate renew (a cronjob doing certbot renew). Sometimes it fails in challenging. Here was the reason :

It fails randomly. Only one server have to renew certificates, a rsync job can replicate them to others.

Working solution

After a simple rsync job (using ssh over /etc/letsencryp directory), I decided that only server1 can renew certificates using certbot.

Source : https://www.dbsysnet.com/tag/ssl

Let's encrypt knows the server if it has a reponse on /.well-known/acme-challenge/"uniqueRandomId"

All I did is on server2 Nginx configuration : a proxy to server1 only on .well-known/acme-challenge/*

    
        server {
            
            set $server1_name server1.mydomain.com;
            location /.well-know {
                    proxy_pass http://$server1_name /.well-know;
            }

            server_name mydomain.com;

            listen 80;
        }
    
    

Now it works in all cases !