On 05-19-2021 6:48 pm, Viktor Dukhovni wrote:
Why would the cert be created "on the load balancer"? The load
balancer
is just a TCP L4 proxy. Why does it need to be a trusted component in
the system?
The "load balancer" is haproxy running on a linux server. It needs a
certificate because clients are connecting to it. Clients making a TLS
connection will want a certificate that is issued to whatever FQDN they
connected to.
If they connected to submission.example.com wouldn't they want a
certificate that was issued to submission.example.com? Well
submission.example.com is a linux server running haproxy on it. The only
way (i know how) to create a certificate assigned to
submission.example.com is to create that certificate using commands in a
bash shell using certbot physically on that server.
