Allow Letsencrypt challenge through the load-balancer to the origin

When an origin server behind F5DC uses a certificate provided by Letsencrypt, renewals of this certificate will fail, as the load-balancer intercepts ALL requests to http://<domain>/.well-known/acme-challenge/* and returns a 404 for a challenge it doesn’t have.

I suggest that we change the load-balancer’s behaviour so that it forwards the request to the origin pool if it doesn’t have the token to match the challenge it receives.

I’m aware that for the above to work, the end-user likely needs to configure a specific route and a specific origin pool to forward the challenge to the host that is renewing the certificate and to this one only, but at least this step can be done programatically. I’m also aware that we may offer ways to solve the DNS-01 challenge soon, but offering multiple options makes us stronger.

  • Étienne Labaume
  • May 27 2022
  • Attach files