LetsEncrypt on multiple HaProxy instances across servers

Question

Looking at the instructions here: https://certbot.eff.org/lets-encrypt/ubuntubionic-haproxy

I'm in a situation where I have 2 HaProxy instances, each in a docker container, on different machines. The domain names are the same. This is done for redundancy purposes.

Googling "multiple letsencrypt" or "multiple certbot" just leads to solutions for creating certificates for many domains at the same time.

This is good for subdomains, but it doesn't explain what I'm expected to do if I have more than 1 server running haproxy.

Run certbot on 1 server only, then copy the file over? If so, what about renewing the certificate? Can it no longer be automated?

Also, because of urls, certain subdomains will go to one server or the other. But both must be able to serve all the urls.

Or does this situation call for a different approach entirely? Should I use the manual mode, generate the certificates, and then update them manually?

Thanks for any help.

Answer 1

I would suggest you to go with getssl which is a "simple" Bash script taking care to :

• deploy the challenge file to all the required nodes, to the right place, and even reloading the remote node web server
• deploy/copy the generated SSL certificate files to remote nodes too

It can use SSH, SFTP or FTPS to transfer files. You then can add a cron job to execute getssl everyday and it will renew the certificate and distribute it when done (a config allows you to tell when to renew the certificate).