Certbot in HA mode

Hello,

I have a general question. I am new to handling certificates. It seems like ACME clients generally do not have any redundancy (HA Mode). Is it safe to deploy just one instance of Certbot and forget about it?

I am planning to use certbot in my load balancer (HA Proxy) VM. What are the best practices?

Thanks in advance for the help!

2 Likes

Because the lifetime of LE certs are 90 days and LE recommends to start renewing 30 days before expiry, an ACME client would have 30 days to renew a certificate. For most users, this is enough time as an alternative to forms of redundancy.

3 Likes

Doesn't HAProxy have some sort of built-in certificate handling?

3 Likes
4 Likes

Do you mean does it have native ACME support? (No) Or does it terminate TLS connections? (Yes)

I use haproxy as a reverse proxy for the vast majority of my personal hobby stuff and it works great with any number of ACME clients. You'll likely need to use some sort of hook script in order to do post-processing on new certs and reload the haproxy config (assuming you don't want to hassle with the dynamic loading @Rip linked to). The cert post-processing will depend on the haproxy version. Earlier versions required the cert+chain+key all combined in a single PEM file which most ACME clients don't provide out of the box. Though I think the latest versions can now use the key in a separate file.

Using an ACL such as acl isACME path_beg /.well-known/acme-challenge/ on your http front end will allow you to redirect ACME challenge requests wherever...such as a self-hosted server run by the ACME client.

5 Likes

Bummer

4 Likes

TL;DR
Does that extend to, or across, HAProxy clusters?
[that would benefit the OP]

4 Likes