Hi Folks, need some help in understanding something about singing the certificates for a clustered (Active - Active) environment.
Scenario:
example.com (service domain).
Server 1 Certificate details
CN= server1.example.com
SAN Entries Needed (collab.example.com)
Server 2 Certificate details
CN= server2.example.com
SAN Entries Needed (collab.example.com)
SAN collab.example.com is important for hosted service to work as the clients will verify this SAN entry when the certificate is presented by server to the client. Also as mentioned its an Active-Active Cluster hence client can land on any of the server.
For Certificate Sign In to work, i know that all SAN entries has to be resolvable from External and LE’s should be able to reach this servers over port 80.
I can get the certificate SIGNED on one of the server as normal, however as mentioned some SAN Entries are common and its important to have it on both the servers certificate which are running in the cluster.
So i can create a an entry on DNS (for e.g.) as below:
server1.example.com 192.168.1.100
collab.example.com 192.168.1.100
And then get the Server 1 CSR signed.
After this i change the DNS entry something like below:
server1.example.com 192.168.1.100
server2.example.com 192.168.1.101
collab.example.com 192.168.1.100
collab.example.com 192.168.1.101
Question
When i get the second server certificate signed, LE’s can connect to any of the server (after DNS Resolution) for validation of (collab.example.com). How to make sure that LE server connect to the Originator server, which in this case is server2.example.com.
If not, what is the best practice for such environments? and how one can overcome if its an limitation?
Regards,
Alok