IP failover for certificat


#1

Hello everybody

Being new and very bad in English, please apologize in advance for faults or other clumsiness.

I have two servers with ip failover, the premeir is used for production, the second in case of crash the first.

The server in production concerns town halls, so I can make no mistake.
I generate certificates manually via “certbot certonly --webroot -w / var / html / -d www.example.com -d example.com

I use an ip failover to be able to switch from one to another without having to change the DNS. The ip is mounted by hand it is not load balancer.

On the first I set up for test, a certificate let’s encrypt (previously I used startcom good it was a bad choice considering what happens today).

My question is about the second server, should I just copy the / etc / letsencrypt / folder to the second server, or should I do otherwise?

I specify that I made the backups on a third server.

Thank you in advance for your help.

cordially

My operating system is (include version): Debian Jessie

My web server is (include version):apache

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no


#2

Could you provide a little more information to your question please (as I could interpret it in several different ways) and I’m not sure exactly what you are after.


#3

Thank you for your reply,
I will try to be clearer.
My DNS records point to the ip failover, which points to my production servers. In case of server crash I activate the second manually (no load balancer).
Let’s encrypt being free, thanks for that, I do not want to overload their servers.
So if you just make a rsync from the / etc / letsencrypt / folder so that all sites are in https directly, this would be very simple and would avoid generating new certificates


#4

Thanks for the clarification.

Yes, if you rsync the /etc/letsencrypt folder over ( that way it preservers symlinks ) then everything should be fine on the failover server.


#5

Thank you very much for the answer and also for the work you provide.


#6

Please do take a look at the time of renewal of your certificates to ensure that your rsync task and your configuration is performing the way you expect.

I assume from your conversation that you will run certbot renew only on one server (the master one, not the failover one) to perform the renew there. After each renewal happens, you’ll need to repeat the rsync (it could be automated from crontab, as certbot renew can). This will also require restarting or reloading the webserver on the failover server; otherwise, the failover server’s webserver process won’t know about the new renewed certificate!

So that is a source of slight subtlety or caution, and remember that renewal happens by default every 60 days if you’re using certbot renew (in order to complete the renewal well in advance of the 90-day expiration period).


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.