Nginx on Edge servers
Configure your edgeservers to redirect all http challanges to your main webserver.
resolver 208.67.220.220 208.67.222.222; set $backend_mainserver "http://mainserver.com:80"; location /.well-known/ { proxy_pass $backend_mainserver; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host mydomain.com; }
As Nginx does not resolve domain names when run. we are using OpenDNS with a trick from Jethro Carr. This allows us to have a mainserver with a dynamic IP-number.
Configure Edge Servers
We will need to upload certificates from the main server to each edge server. To do this we will need an account that can login trough SSH to upload each certificate.
useradd certmaster passwd certmaster mkdir /etc/letsencrypt/live-edge chown certmaster: /etc/letsencrypt/live-edge
To allow certmaster to reload nginx configuration after uploading new certificates. create sudoers file etc/sudoers.d/certmaster with this content.
certmaster ALL=NOPASSWD: /usr/bin/systemctl reload nginx.service certmaster ALL=NOPASSWD: /usr/sbin/nginx -t -c /etc/nginx/nginx.conf
You can validate that it works by login in as certmaster and run
sudo /usr/bin/systemctl reload nginx.service
Configure Main Server
Create a public ssh-key (if missing) to use as authentication for the account of certmaster.
ssh-keygen -t rsa ssh-copy-id certmaster@edgeserver.com
Create an script that synchronize the certificates from mainserver to the edge servers, and reloads nginx configuration (if its correct). You could copy the entire live directory, but in this case I’m only copying domains that should be on the edge servers.
#!/bin/bash rsync -rLz /etc/letsencrypt/live/mydomain.com certmaster@edgeserver.com:/etc/letsencrypt/live-edge/ ssh certmaster@edgeserver.com<<'ENDSSH' sudo /usr/sbin/nginx -t -c /etc/nginx/nginx.conf && sudo /usr/bin/systemctl reload nginx.service ENDSSH
Flags for rsync is
-r for recursive
-L transform symlink into referent file/dir
-z Compression
More info in the manpage
When everything is working. Add script to cron and remove password for your certmaster user.
passwd --delete certmaster