Hi Folks, need some help in understanding something about singing the certificates for a clustered (Active - Active) environment.
example.com (service domain).
SAN collab.example.com is important for hosted service to work as the clients will verify this SAN entry when the certificate is presented by server to the client. Also as mentioned its an Active-Active Cluster hence client can land on any of the server.
For Certificate Sign In to work, i know that all SAN entries has to be resolvable from External and LE’s should be able to reach this servers over port 80.
I can get the certificate SIGNED on one of the server as normal, however as mentioned some SAN Entries are common and its important to have it on both the servers certificate which are running in the cluster.
So i can create a an entry on DNS (for e.g.) as below:
And then get the Server 1 CSR signed.
After this i change the DNS entry something like below:
When i get the second server certificate signed, LE’s can connect to any of the server (after DNS Resolution) for validation of (collab.example.com). How to make sure that LE server connect to the Originator server, which in this case is server2.example.com.
If not, what is the best practice for such environments? and how one can overcome if its an limitation?