Do I create a separate cert on each load balanced server for the same domain?


#1

I am currently running about 80 domains on 2 servers that are load balanced using Microsoft Load Balancer. My question is, do I need to create an SSL cert for a domain on one server and then copy that to the other server? Or do I setup different certs for the same domain on each server, meaning running the LetsEncrypt script on server A for www.mydomain.com and then running the script separately on server B. Will this cause issues if a request comes into one server then gets bounced to the next, or does it not matter since it is the same domain?


#2

Hi @ScottHorner,

You can do this either way. The certificate is valid on whichever server it’s copied to, but if the request gets “bounced” to another server at an appropriate network layer, it will likely be a separate TLS session and work fine with either the same certificate and private key, or a different certificate and private key. (It really depends on whether “bounced” means “they have separate IP addresses pointed to by the same DNS name”, "they have separate DNS names and generate HTTP redirects to one another, “they have the same public IP address but some kind of proxy decides which one will handle each incoming TCP session”, “they have the same public IP address and can literally take over for each other in the middle of a TCP session”, “Microsoft designed them to be able to handle TLS session resumption on one another’s behalf by pooling session keys in a database”, or something else!)

If your load balancer happens to have documentation indicating that its load-balancing method requires the private key to be the same on all instances, then you’ll have to follow that advice.

Please be mindful of the issuance rate limits:

(They shouldn’t cause you any trouble if you have only two servers.)


#3

Thank you @schoen for the info.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.