I'm having some issues setting up Let's Encrypt for a couple websites that are setup on two different servers, and have the traffic distributed to them via HAProxy.
The servers have a number VHosts/domains on them, all of which are going to need SSL certificates. For the sake of this post, lets say they're:
- foo.some-site.com
- bar.some-site.com
Both of these A records are setup with two IP addresses. I can verify with nwtools.com or just nslookup that both of the A records foo.some-site.com and bar.some-site.com resolve the same two IP addresses. And I know that Let's Encrypt requires the vhost to have a valid record used so it can do a lookup.
I planned on running the Lets Encrypt setup on both servers for all the vhosts, and it worked fine for one of them, but when I moved onto the second one, I got an error:
[root@server httpd]# /opt/letsencrypt/letsencrypt-auto --apache -d foo.some-site.com
Checking for new version...
Requesting root privileges to run letsencrypt...
/root/.local/share/letsencrypt/bin/letsencrypt --apache -d foo.some-site.com
Failed authorization procedure. foo.some-site.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to host for DVSNI challenge
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: foo.some-site.com
Type: connection
Detail: Failed to connect to host for DVSNI challenge
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
Could this possibly be because it's doing a lookup or trying to curl foo.some-site.com, and it may be getting directed to the other server? I'm not sure how that would really matter, since both have the same VHosts on them, unless LetsEncrypt is actually listening for the connection that its making itself...
Whats throwing me off is it worked for one of them just fine (say bar.some-site.com), so why would it work for one site, but fail for another one with the exact same setup?
If anyone knows of a way to get Lets Encrypt setup for the same vhosts on two different servers, the help would be much appreciated!
Yes, most definitely.
LE needs to connect back to the server you're running the LE client on, as part of the domain verification challenge-response process. Without getting into details, the LE client actually makes a certain file available in your webserver temporarily that the LE server needs to be able to consume to verify domain ownership.
Running this command on all of the back-end servers is un-necessary and cumbersome. Run it once, and then copy the key and certificate chain to the rest of the back-end servers.
Because you got lucky? :) It is possible that by chance your load balancer directed the LE requests to the right location once, but didn't do it the second time.
There are several approaches to scenarios involving multiple web/app servers/load balancers. You can read about some of them in the Official Let's Encrypt Integration Guide for larger environments.
There are some neat ways of doing it, like:
What makes sense for you will depend on your preferences and various environment specific requirements.