On 05-19-2021 6:44 pm, IL Ka wrote:
So, each backend can have it's own certificate, but for the same DNS
name (haproxy.example.com), right?
No. certbot will try to connect the server you are issuing the
certificate for using the domain name you want the cert for.
If the DNS (haproxy.example.com) goes to the load balancer then certbot
never gets the test reply and cert creation fails.
I didn't know that letsencrypt could issue a new certificate without
revoking the old one.
You can renew, amend, add to, remove domains from an already issued
certificate without revoking it first. Certbot will just "overwrite" the
existing certificate. That is why in the certbot command you supply the
certificate name as its stored on that server.