So letsencrypt requires port 80 and 443 access in order to generate or renew certs. This can be an issue if your server already uses port 80, 443, if you need a cert for a appliance can can't run letsencrypt on that device, or you just can't afford the down time. All the above is a BS attempt at stopping non-admins from generating certs (this is a BS as you can still "get" letsencrypt to give you a cert using the webroot feature and a non-root user, but that's a topic for another time). My solution is simple, let a "proxy" look at the inbound url and forward *all* letsencrypt connections to the letsencrypt standalone service. This way matter what sub(s) or domain(s) needed or used one copy of letsencrypt can answer ALL the requests. This means you only ever need 1 copy of letsencrypt for all the servers BEHIND the load balancer and you never need to take down or in anyway modify your existing server or website. What you need to for all this
Heres my haproxy config And now and example of the letsencrypt cli |
Servers >