On Wed, May 19, 2021 at 06:57:42PM -0400, post...@ptld.com wrote: > > On 05-19-2021 6:48 pm, Viktor Dukhovni wrote: > > Why would the cert be created "on the load balancer"? The load > > balancer is just a TCP L4 proxy. Why does it need to be a trusted > > component in the system? > > The "load balancer" is haproxy running on a linux server. It needs a > certificate because clients are connecting to it.
NO. TCP connections DO NOT require a certificate. Clients connect to the load balancer, which just forwards TCP streams. The STARTTLS handshake happens at the application level, between the client and backend server. > Clients making a TLS connection will want a certificate that is issued > to whatever FQDN they connected to. Right, the FQDN of the cluster (logical name of backend servers, which resolves to the IP address of the proxy, but ISN'T the proxy). The hosts with the corresponding cert chain are the backend servers. > If they connected to submission.example.com wouldn't they want a > certificate that was issued to submission.example.com? Yes, which lives on the backend servers, because the proxy does not do TLS termination, it only does TCP termination. > Well submission.example.com is a linux server running haproxy on it. > The only way (i know how) to create a certificate assigned to > submission.example.com is to create that certificate using commands in > a bash shell using certbot physically on that server. Well, there's your false assumption. -- Viktor.