/ Register

Discover Centmin Mod today
Register Now

SSL Letsencrypt LetsEncrypt on RoundRobin fails

Discussion in 'Domains, DNS, Email & SSL Certificates' started by SuperNOVA91, Apr 26, 2020.

Previous Thread Next Thread
Loading...
  1. Apr 26, 2020 #1
    SuperNOVA91

    SuperNOVA91 New Member

    9
    1
    3
    Oct 22, 2018
    Ratings:
    +1
    Local Time:
    5:49 PM
    Hello,

    I have a media serving subdomain on a RoundRobin setup with two A records pointing to
    176.10.10.10 and 51.86.86.20 (example IPs)

    Now when I try getting LetsEncrypt certificate on Server 1, I get the following error:

    Code:
    statics.example.com is not a top level domain
your server IPv4 IP address: 176.10.10.10
current DNS A record IPv4 address for statics.example.com is: 176.10.10.10 51.86.86.20

!! Error: DNS A record IP doesn't match any found on this server
    And similarly, I get following error on Server 2:

    Code:
    statics.example.com is not a top level domain
your server IPv4 IP address: 51.86.86.20
current DNS A record IPv4 address for statics.example.com is: 176.10.10.10 51.86.86.20

!! Error: DNS A record IP doesn't match any found on this server
    As you can see, the IP addresses for both servers are present as A records but the script only expects one in return maybe so it fails.

    How can I get a LetsEncrypt certificate for both servers with this RoundRobin setup?
     
  2. Apr 26, 2020 #2
    eva2000

    eva2000 Administrator Staff Member

    58,895
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    10:49 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    The next message after those errors is a prompt to ask if you want to continue or not with the process. The errors are just notices, so if you know that your server's IP address is correct in a round robin setup, you can just answer yes = y to continue.

    However, you will only get the 1 server with letsencrypt issued and setup for auto renewal, the other server in round robin will not get vhost setup nor will it get letsencrypt issued. The Centmin Mod Letsencrypt nginx vhost setup is not designed for load balanced servers out of the box. If you need load balanced server Nginx vhost issuance, you can't use native webroot authentication but need to use DNS based letsencrypt authentication which Centmin Mod only supports semi-manually/auto for Cloudflare DNS API see links at Letsencrypt - Official acmetool.sh testing thread for Centmin Mod 123.09beta01 - specifically Letsencrypt - Official acmetool.sh testing thread for Centmin Mod 123.09beta01. For other DNS providers API you can see what is supported by acme.sh at acmesh-official/acme.sh which is underlying tool addons/acmetool.sh uses
     
  3. Apr 26, 2020 #3
    eva2000

    eva2000 Administrator Staff Member

    58,895
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    10:49 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    Ideally for load balanced /round robin / multi server setups, you want to setup a shared disk space for the letsencrypt SSL certs issued so all servers read from same stored path for letsencrypt SSL certificates so you only need to issue and renew on one server, for rest of the servers to read and use the letsencrypt SSL certificate.
     
  4. Apr 26, 2020 #4
    SuperNOVA91

    SuperNOVA91 New Member

    9
    1
    3
    Oct 22, 2018
    Ratings:
    +1
    Local Time:
    5:49 PM
    Thanks so I tried ignoring the cautions and getting LetsEncrypt but it failed. Upon checking logs, it seems that when I tried to get certificate on Server A, it was trying to access Server B. I understand this is just pure luck with roundrobin.

    To get around, I "think" if I share public/.well-known folder from Server A to Server B and try getting certificate, it should work. Is this correct?

    And once I have certificate on server A, I can just share the certificate folder from A to B again and set A to auto-renew certificates. This way both servers will use the certificate issued to A.

    Is this what you suggested earlier?
     
Previous Thread Next Thread
Loading...

.