All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
With DNS Failover how to renew SSL on Secondary Server?
nqservices
Member
Hi,
I want to setup DNS Failover for 1 domain, in order to have server redundancy in case of downtime of primary server.
My issue is that I use Let’s Encrypt SSL certificates on both servers, and if Primary Server has no downtime, the Let’s Encrypt SSL certificate will not be able to renew on Secondary Server after the 3 months duration of the Lets Encrypt, since no DNS is pointing there.
On my secondary server I use Plesk Web Server. Does anyone knows any solution to keep the Let’s Encrypt SSL certificate active, even without DNS A record pointed there?
I have alsothink also in buying a SSL certificate from Comodo to install it on the Secondary Server to have 1 year duration of the SSL valid, without having the need to have DNS pointed there. I think this way will work. At least in theory.
Any advice or suggestion is welcome. First time setting up a Failover DNS site…
Thanks
Comments
ACME via DNS or sync them via rsync.
You can have multiple active certs per domain/subdomain on LE.
You can sync the file changes from the first server to the failover server using tools like rsync.
Otherwise you can just manually copy the SSL files/configuration as needed.
We have 5 (currently) servers in different regions of the world for our main website and that's what we do.
Just curious, how do you reload nginx? Cron?
I have a similar setup with Cloudflare, so SSL is not a problem..
I do have 40+ servers for my image host and was using LetsEncrypt also custom DNS.
And since renewal is required once every 90 days and needs lots of customization to do the autorenewal I decided to spend money on cheap SSL from ssls.com.
And now I have to do it once every year even though I bought it 5 years.
Manually, but I hadn't really considered it much as the setup is new and the SSL won't renew until January.
I have recently seen a really funky setup.
not commenting on good/bad/... just saying that certainly was one way to do it.
I have a management server that uses dehydrated and a PowerDNS hook (tons of hooks available on GitHub) to generate wildcard certs. I have a cron job that runs a script to renew the wildcard, then push the certificates to the servers via SCP. After that, it triggers a reload script on the individual servers to verify permissions of the cert files, then reload the services that depend on the certificates. If afterward the service can't be reached by the reload script to check if it's online, it'll ping my phone via Pushover. This is one of the few sets of scripts I don't give out (messy and overly specific to stack), but the description I gave basically writes them anyway.
It's really not terribly complex once you're at the point that you are. Getting where you are, effectively and assuming with content that changes with any regularity, is the more difficult task.
My setup is very simple too. lsyncd on the master server to sync files and SymmetricDS for database multi-master sync.
Certs are from Cloudflare that points to a CNAME domain that uses nsone geo target records with self-signed certificates.
Use a post renew hook in Certbot so Nginx is only reloaded when a certificate is actually renewed. If you rsync the certs across then reload Nginx in the same script that rsyncs them.
Will do that. Buy a cheap 1 year SSL. Thanks all for the advices
There are not many options. Or use a paid ssl certificate or sync LE using rsync.