LetsEncrypt renewal

Type: Suggestion

I’m using your bncert-tool to install letsencrypt certificate. I got this error while trying to install the certificate.

Warning: The domain 'xxxxxxxxxx' resolves to a different IP address than
the one detected for this machine, which is 'xx.yy.zz.ww'. Please fix its DNS
entries or remove it

My domain was pointing to Load Balancer IP address. So I had to change it to my server IP address in the DNS records temporarily to install this certificate, which was fine.

My concern is about the automatic renewal that happens after 2 months. Should my domain be pointed to my server IP address in the DNS records when the renewal happens? that totally ruins the pointing of having an AUTOMATIC renewal as I have to temporarily change my DNS records which is a MANUAL task.

Your thoughts?

Hello @n4nevinn,

I don’t know which cloud provider are you using but in these cases, you will need to request an SSL certificate from said provider. You can check how to configure the LoadBalancer and SSL in AWS in our guide:


Francisco de Paz

I’m using AWS Lightsail and I’m planning to place a cloudfront distribution infront of my Lightsail Instance. I know I can configure SSL with my cloudfront distribution, but I need to install SSL certificate in the instance for end-to-end encryption.

Can I please get an update for this?

Hello @n4nevinn,

Sorry about the delay, I thought your issue got solved by my colleague in your other thread

At the moment, there is no option to user bncert to auto renew the certificate if you are behind a LB. The users who have a load balancer usually configure the certificate there, not in the instance itself.

For those cases in which the user also wants to configure the certificate in the instance, we have the manual process (using lego directly) for the user to configure the certificate the way he wants. You are free to use any other Let’s Encrypt client like certbot if you have any inconvenience using lego.

Francisco de Paz

okay. I just found out that auto renew basically use lego command with HTTP validation which does not require domain to be pointing to the IP address in DNS. All good in that case!!