Recently, at work and with the help of an esteemed colleague (hi Suresh!), we set up a nice set up for multiple HTTPS node with a LB in front. Here’s the problem we had:

– We have environments where we want N parallel nodes serving traffic.
– We want the nodes to receive encrypted traffic.
– We want the nodes to share the same subdomain (therefore, same SSL certificates).
– We want to put a load balancer in front instead of DNS round robin, so we have more control of our nodes.
– We don’t want to have the load balancer to handle certificates, because we don’t control the LB itself (it’s provided by a cloud service).

Here’s the solution we came up with:
– Set up the LB (we used Hetzner).
– Point the subdomain to the LB’s IP.
– Set up the first HTTPS application node as if they were a single node (a VM with nginx+certbot+letsencrypt). Don’t run the HTTPS challenge in certbot yet.
– Configure the LB to do TLS passthrough (so that it doesn’t even attempt to decrypt traffic).
– Run the HTTPS challenge in certbot in the first node. The challenge will be forwarded from the LB to the node and it will succeed.
– When adding the second node (or any subsequent nodes), forward the path to the IP of the first node.

“`
location /.well-known/acme-challenge/ {
return 302 \$scheme://$FIRST_NODE_IP\$request_uri;
}
“`

(replace FIRST_NODE_IP for the actual IP)

– Copy the certificates from `/etc/letsencrypt` from the first server to the second one.
– Set up a cron script to do this copying periodically. You’ll have to add the private key for accessing the servers to the main server, so it can use `rsync` or `scp`.

And voila!