hslatman
commented
1 month ago Hey @arontsang, if I understand correctly, you have multiple step-ca instances (or is it a different ACME server; maybe an ACME server hosted inside a Caddy instance) deployed behind AWS ELB, and Caddy is acting as the client of the ACME server(s)? Because if so, I don't think the fix in #1834 does what you need. That changes the client that is used to verify ACME challenges from the CA viewpoint. Usually that's just a single request, it goes out to the ACME client (in front of the AWS ELB), and it doesn't involve the nonce. So I think the issue is not on the step-ca side.
I think the fix is on the Caddy side, where you already opened the issue and I think the fix in https://github.com/caddyserver/certmagic/pull/288 should work.
arontsang
Hello!
Issue details
I am trying to use an ACME server that is behind an AWS ELB. The ELB uses cookies to ensure that an http session is routed back to the same ACME server using cookies.
Without cookies, caddy will just be connected by the ELB to random servers.
This results in the ACME server rejecting nonces that were generated by another ACME server.
Why is this needed?
Interfacing with ACME servers behind load balancers correct.