[udev4096]

Interesting. I was just setting up a LB like this: client ->LB(nginx) ->TLS terminate for LB conn -> proxy_pass to backend which is behind nginx and has separate TLS certs. it's surprisingly easy to configure. Wonder why people still use HTTP at all. Even at home, I have setup LE certs for all local domains

On a side note, nginx doesn't support HTTP/2 for https load balancing so I am thinking of switching to haproxy which supports it

[butvacuum]

Because you've now published your internal machine names. Look up certificate transparency logs.

[udev4096]

What do you mean? I used self-signed for communication b/w LB and the nginx serving backend

Edit: I don't see any "machine name" on crt.sh for public LB which uses LE

Ah, you meant the DNS address is on CT now. You think I wouldn't know that? Regardless, a dns01 challenge is far better than using self-signed at home