Letsencrypt certbot with loadbalancer

Hi everyone,

I’m using certbot to auto renew ssl certs after every 3 months or so. It’s fine and dandy after a few years. The problem arrives when I tried to introduce a load balancer and additional nodes.

Since I’m serving media files, I cannot proxy through CloudFlare and use an Origin CA certification, which would make this a lot easier.

With that being said, what are some ways I can do to get this working? The original server will be part of the cluster, should I just let it auto renew SSL certs and call it the master node, and the other 3 servers can rsync the certs over with a cron job or something? My problem is that I’m afraid the auto renew process will fail as the challenge might be distributed to a different node rather than the master node? (or is my assumption flawed here).

Any insights on how to approach this would be very helpful!

This sounds like an issue that everybody with load balancing face, not just due to Cloudflare.

Have you tried a Google search for possible solutions?


Seems like dropping CloudFlare from “CloudFlare DNS load balancer and ssl auto renew” query opened up a wider search result on Google. Thanks for that suggestion. Looks like I need to work on my Googling skill.

Also to answer my original my original question,
Yes, it is possible to let certbot auto renew on an assigned server in the cluster, and sync the new certs to other servers (or have others sync from) via a cron job or other automated processes. The only problem here is that when renewing the cert via txt, the certbot can hit any of the node in the cluster beside the main node where that the acme challenge txt resides. In my case, since I use NginX, I can proxy forward all the traffic from all the nodes to that location where the acme challenge text lives to the master node dns, like so

location ^~ /.well-known/acme-challenge {
       proxy_pass http://master.mysite.com:80;

I would imagine other webservers will have similar functionality to do something like that.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.