Let’s Encrypt (aka https://letsencrypt.org/) is a nice way to NOT spend money on SSL certificates for your websites (especially when you’re operating personal sites) BUT at same time it is fairly annoying when you have a setup that’s a bit different than standard ones.
In my particular case, I’m running my site on multiple servers (just run a dig on this subdomain and you’ll understand), haproxy being the the public listener (also handling ssl termination) with apache running on a few backend nodes (for that sweet HA).
The problem with a setup like this is that any LE cert command to issue / renew / revoke a cert will not run on the actual webserver that’s running the site (because there’s more than one and because that’s not always a good idea) but rather on a separate environment and when that happens you have to be creative.
In my particular case I created an acl in the frontend section for my website that looks like this:
acl letsencrypt-acl path_beg /.well-known/acme-challenge/
use_backend le-backend if letsencrypt-acl
and added that right before the actual line containing the reference to the backend that will handle the website then I created a separate backend section that looks like this:
backend le-backend
server obscureserver 10.10.10.100:80 check
which will point to the ip of an apache server running on a node where one has the certbot tool installed.
What this does for me is: it captures all requests to .well-known/acme-challenge/whatever (which is the LE challenge path) and forwards it to the apache server that can actually serve that (considering that’s where the certbot command is executed with the –webroot -w /var/www/html/ params).
Nice and simple right ? 🙂 Enjoy!