Renewal Let's Encrypt certificate in multiple NGINX reverse proxy instances

Question

I configured NGINX as a reverse proxy and also use it to handle HTTPS with Let’s Encrypt. Well, Let’s Encrypt certificate is about to expire within 3 months and administrator needs to configure to renew it automatically in a production environment.

This scenario works well for a single instance. But what about if I want to scale out the NGINX instance behind Amazon ELB or Route 53. It doesn't make sense to renew the certificate in each instance.

Any one have an experiences in the use case like this? Please suggest.

Thank you.

Answer 1

There are various options available.

• The newest version of the spec includes an address parameter for http-01. You can use it, so the validation authority will choose that address to verify the domain ownership. I don't know if that's already implemented in Boulder, the software that Let's Encrypt uses.
• Another option is to redirect all requests to a specific domain. http-01 follows any redirect, so you can redirect /.well-known/acme-client/* to acme.example.com or directly to an IP that runs the client.
• There's the dns-01 challenge type. It works by providing a TXT record for _acme-challenge.example.com with the same payload as for http-01.

For any of those options, you need just one machine running the client. You can then write a small script that distributes your private keys and certificates to all other servers.

The official client is probably not the best client available for scripting. There are many available clients. One of those is my own client that can be used for scripting. Depending on the size of the integration you're planning, a library might be more useful.