> On 19 May 2021, at 7:05 pm, post...@ptld.com wrote:
>
> This is where im getting confused.
>
> Before you said make a cert for the load balancer where clients connect, and
> deploy it on the backend servers.
The cerificate is NOT for the load balancer it is for the cluster
of backend servers. The IP address of the cluster resolves to the
IP address of the load balancer, but they're logically distinct.
One or more hosts run an ACME client (e.g. certbot) to renew keys for
the cluster. I'd use the backend hosts for this.
> Now you are saying each backend server should renew their cert.
Yes, staggered to avoid races.
> What cert?
The certificate chain for the cluster ("submission.example.com").
> They have been given a cert created by the load balancer meaning only the
> balancer can renew that cert.
NO. Not given, each is potentially the one to renew the cert, unless
another cluster member does it first, and rsyncs the chain to it, in
which case, by the time the host looks the cert is still current.
So in practice some member (perhaps always the same, up to you) of
the cluster renews the cert, and the others get it via rsync.
You'll need to allow the servers to rsync the relevant directories
to each other (/etc/letsencrypt/{archive,live}/<name>) to each
other. Perhaps also the "/renewal" subdirectory etc...
--
Viktor.
