AutoSSL with Let's Encrypt on Load Balanced System

[marklm]

I have two identical cPanel webservers on a load balancer, with the main domain of example.com pointed to the load balancer, and a third webserver that is not on the load balancer at authserver.example.com. (not really example.com, just using that as an example). I'd like to set up AutoSSL with Let's Encrypt on example.com, using authserver.example.com as the central validation server, and rsync the certificate to the load balanced servers but I'm unable to complete http validation to begin with.

On this thread on the Let's Encrypt forums, it's mentioned that two ways you can complete a challenge on a cluster is with DNS-01 verification, or with a 301 redirect, to redirect the http challenge to a central auth server.

I'd rather do DNS verification, but the plugin doesn't support this, so I'm trying the 301 redirect to the auth server (authserver.example.com, mentioned above). Here is the redirect I have in my .htaccess on both of the load balanced servers:

RewriteRule ^.well-known/acme-challenge/?(.*)$ http://authserver.example.com/.well-known/acme-challenge/$1? [R=301,L]

This works, when I try to go to example.com/.well-known/acme-challenge/test.html, I get redirected to authserver.example.com/.well-known/acme-challenge/test.html.

So, I'm attempting the AutoSSL set-up on the authserver, which is not on the load balancer. When I do this, it doesn't work, and I have this error in the logs:

WARN The domain “example.com” failed domain control validation: The system queried for a temporary file at “<a href="http://authserver.example.com/.well-known/acme-challenge/[hash]">http://authserver.example.com/.well-known/acme-challenge/[hash]</a>”, which was redirected from “<a href="http://example.com/.well-known/acme-challenge/[hash]">http://example.com/.well-known/acme-challenge/[hash]</a>”. The web server responded with the following error: 404 (Not Found). A <abbr title="Domain Name System">DNS</abbr> or web server misconfiguration may exist. The domain “example.com” resolved to an IP address “[ip address]” that does not exist on this server.

The ip address it mentions that doesn't exist on the server is the ip of the load balancer, where example.com is pointed. When I look in the acme-challenge directory on the authserver, I don't see the file it's looking for, so either it's not creating it, or it's deleting it when the challenge fails.

Does anyone have any suggestions for how to fix this, or how to get the challenge to complete on a load-balanced environment with cPanel? Do I have to just use the command-line certbot to try to do a DNS-01 validation, and forget about the AutoSSL plugin? And, are there any problems / conflicts with using the manual certbot on a cPanel system? Thanks!

 

[cPanelMichael]

Hello,

Load balancing is unsupported, and thus it's not an environment we test AutoSSL functionality on. Since the domain name isn't resolving to an IP address associated with the specific cPanel server it's configured on, the validation process will fail. You'd likely want to setup Let's Encrypt manually for this to work.

Thank you.

 

[marklm]

Thanks for your response, Michael. I've installed certbot, and I found a script on github that automates the DNS challenge process with Route 53 using the AWS CLI: github.com/jed/certbot-route53

I've generated the SSL certificates I need for my domain, but I'm not sure exactly what I need to do "install" them and get them to work with my domain. I know I can go into WHM and copy-paste the certificate there to install it, but because the let's encrypt certificate renews every 90 days, it needs to be something I can automate with cron.

Here's what I've done so far: I've added a custom httpd.conf include file under:
/usr/local/apache/conf/userdata/std/2_4/example/example.com/custom.conf

with this content:

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem

Then I ran:
/scripts/ensure_vhost_includes --all-users
and httpd.conf updated to comment out the line that includes custom conf files.

But, the certificate isn't working. What else do I need to do to make it work?
Thank you!

EDIT: I did restart apache after updating the config files.

 

[marklm]

Ok, I figured out what the problem is, but I don't know how to fix it using the include files. At the top of the virtual host directive in httpd.conf that I was modifying with the include file is:

<VirtualHost [ip address]:80>

And when I change this to:
<VirtualHost [ip address]:80 [ip address]:443>

The SSL certificate works and my domain is secured. But, this file says not to modify it, because it's automatically generated, to use the include files. Anyone know how I can add port 443 to the virtualhost definition using the include files, or some other way?

 

[marklm]

I've found a full solution to this, in case this is helpful for anyone else. The right way to do this is not to modify the httpd configuration using include files, but to use WHM's API in order to run the SSL certificate install, which will automatically add the port 443 virtual host to your httpd configuration files. Here is a perl script I found that does this on CentOS 7: checknotes.wordpress.com/2016/01/23/letss-encrypt-with-centos-7/

So, here is a rundown of my full solution for Let's Encrypt on load-balanced cPanel servers:

1. Designate one of your servers as the "central auth" server. On this server, install certbot (certbot.eff.org/). I'm running apache, but I didn't install the "python-certbot-apache" package that certbot suggests, because it needs mod_ssl, and apparently there is some conflict between this and cPanel. I selected 'None of the above' on certbot's instructions dropdown, and just installed: yum install certbot.
   
2. I also installed the Amazon CLI tools, because I'm using Route 53 for DNS, and used this script to automate the challenge process: github.com/jed/certbot-route53
3. Now I have certificates under /etc/letsencrypt for my domain. I used the perl script above (checknotes.wordpress.com/2016/01/23/letss-encrypt-with-centos-7/) to install these certficates, and it worked.
   
4. Now I have to just copy the certificates over to the other load balanced servers, and run the same script as in #3 to install them. I can use cron to manage the renewal process, and incron to watch for changes in the certificate directory, and when the certificates change, scp them to replace the certificates on the other servers, and run the install perl script again.