i have 2 servers on failover config, dns based switching. the servers themselves are configured with the same hostname.
i was able to generate the certificate for both, but i can only renew for one IP, and not for the other.
i need both renewed.
i’d like some suggestions on how to manage this.
so far what came to my mind is to change the hostname of the second which i cannot renew, issue a new ssl cert for this new hostname, and keep the third party dns failover config unchanged.
however, i believe the mismatch between the typed hostname on browser by the visitor, and the hostname of the server might trigger a ssl error message.
If you can arrange to do so securely I recommend arranging for the “passive” member of the pair to obtain a copy of the certificate and key from the active member and use that. This way if failover happens, you’re using an known good key and certificate.
You are correct that a cert for the wrong name is useless. Only the DNS name matters, the certificate just contains a list of Fully Qualified Domain Names add as subjects, the IP address, port number and other characteristics are not specified in a certificate.