I have a cluster of 4 servers with all 4 being load balancers (HA Proxy ) in order to achieve high availability.
When we are trying to generate a web ssl certificate using let’s encrypt, the generation is done on the first server in the cluster, which also creates a standalone service to solve the challenge that proves the domain is ours. If the request comes in on one of the other three load balancers, that request is redirected towards the public IP port 80 of the first server, but that connection can’t be made for some reason.
By default, pfSense® software does not redirect internally connected devices to reach forwarded ports and 1:1 NAT on WAN interfaces. If a client is trying to reach a service on port 80 or 443 (or the port a web interface is using if it has been changed), the connection will hit the web interface and they will be presented with a certificate error if the GUI is running HTTPS, and a DNS rebinding error since it’s an unrecognized hostname.
Could anyone please help me understand on the best approach to solve my issue?
I looked at ‘Split DNS’ but I don’t think it will work as I cannot list every single domain I host (current and future).
I am now loking at ‘NAT Reflection’ but I am not sure if this is what I need.
@fred974, I believe they are referring to hair pinning when you have an internal system trying to reach an external service being exposed on the outside interface of your firewall. There are two fixes. First is you can create a NAT (hairpin) that has a source address of the servers and a destination of the outside interface/IP. The other option is to create a host file entry on each server pointing the URL/domain to the systems IP you created the cert on.
Hi @FredFerrell what will that look like?
This is what my /etc/hosts curently look like
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6