Round-Robin webservers with letsencrypt

Nginx on Edge servers

Configure your edgeservers to redirect all http challanges to your main webserver.

set $backend_mainserver "";

location /.well-known/ {
    proxy_pass $backend_mainserver;
    proxy_set_header X-Real-IP  $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host;

As Nginx does not resolve domain names when run. we are using OpenDNS with a trick from Jethro Carr. This allows us to have a mainserver with a dynamic IP-number.

Configure Edge Servers

We will need to upload certificates from the main server to each edge server. To do this we will need an account that can login trough SSH to upload each certificate.

useradd certmaster
passwd certmaster

mkdir /etc/letsencrypt/live-edge
chown certmaster: /etc/letsencrypt/live-edge

To allow certmaster to reload nginx configuration after uploading new certificates. create sudoers file etc/sudoers.d/certmaster with this content.

certmaster ALL=NOPASSWD: /usr/bin/systemctl reload nginx.service
certmaster ALL=NOPASSWD: /usr/sbin/nginx -t -c /etc/nginx/nginx.conf

You can validate that it works by login in as certmaster and run

sudo /usr/bin/systemctl reload nginx.service

Configure Main Server

Create a public ssh-key (if missing) to use as authentication for the account of certmaster.

ssh-keygen -t rsa

Create an script that synchronize the certificates from mainserver to the edge servers, and reloads nginx configuration (if its correct). You could copy the entire live directory, but in this case I’m only copying domains that should be on the edge servers.

rsync -rLz /etc/letsencrypt/live/
sudo /usr/sbin/nginx -t -c /etc/nginx/nginx.conf && sudo /usr/bin/systemctl reload nginx.service

Flags for rsync is

-r for recursive
-L transform symlink into referent file/dir
-z Compression

More info in the manpage

When everything is working. Add script to cron and remove password for your certmaster user.

passwd --delete certmaster