2 servers Failover config, same hostname

fernandobender · 2017-12-21 13:57:44 UTC

dear fellows,

i have 2 servers on failover config, dns based switching. the servers themselves are configured with the same hostname.

i was able to generate the certificate for both, but i can only renew for one IP, and not for the other.

i need both renewed.

i’d like some suggestions on how to manage this.
so far what came to my mind is to change the hostname of the second which i cannot renew, issue a new ssl cert for this new hostname, and keep the third party dns failover config unchanged.

however, i believe the mismatch between the typed hostname on browser by the visitor, and the hostname of the server might trigger a ssl error message.

i’d appreciate your comments.

best regards,
fernando a. bender

tialaramex · 2017-12-21 14:40:01 UTC

If you can arrange to do so securely I recommend arranging for the “passive” member of the pair to obtain a copy of the certificate and key from the active member and use that. This way if failover happens, you’re using an known good key and certificate.

You are correct that a cert for the wrong name is useless. Only the DNS name matters, the certificate just contains a list of Fully Qualified Domain Names add as subjects, the IP address, port number and other characteristics are not specified in a certificate.

fernandobender · 2017-12-21 14:40:22 UTC

ok. solved by simply copying the renewed certs over.
thanks.

system · 2018-01-20 14:40:42 UTC

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.