> On 19 May 2021, at 7:05 pm, post...@ptld.com wrote: > > This is where im getting confused. > > Before you said make a cert for the load balancer where clients connect, and > deploy it on the backend servers.
The cerificate is NOT for the load balancer it is for the cluster of backend servers. The IP address of the cluster resolves to the IP address of the load balancer, but they're logically distinct. One or more hosts run an ACME client (e.g. certbot) to renew keys for the cluster. I'd use the backend hosts for this. > Now you are saying each backend server should renew their cert. Yes, staggered to avoid races. > What cert? The certificate chain for the cluster ("submission.example.com"). > They have been given a cert created by the load balancer meaning only the > balancer can renew that cert. NO. Not given, each is potentially the one to renew the cert, unless another cluster member does it first, and rsyncs the chain to it, in which case, by the time the host looks the cert is still current. So in practice some member (perhaps always the same, up to you) of the cluster renews the cert, and the others get it via rsync. You'll need to allow the servers to rsync the relevant directories to each other (/etc/letsencrypt/{archive,live}/<name>) to each other. Perhaps also the "/renewal" subdirectory etc... -- Viktor.