> > > 2. This (same) certificate chain and associated private key is > > > deployed > > > on all the backend servers that sit behind the load-balancer. > > > > > > I wrote that CNAME doesn't work with several backends. > > I now see it works if all backends share the same key and cert. Sounds > good) > > They don't even need to have the same key and cert, so long > as they each have some key and a matching cert for that key > that has the right DNS subject (alt) name. >
So, each backend can have it's own certificate, but for the same DNS name ( haproxy.example.com), right? I didn't know that letsencrypt could issue a new certificate without revoking the old one. Just curious: what do you think about replacing HAProxy with "frontend" Postfix that receives mails and forwards them to the backend using $relayhost with several values?
