Letsencrypt on corosync pacemaker


#1

Hello,

Got two nodes with a failover ip.
The A record machine.domain.com points to that failover ip.
I have generated a letsencrypt-auto -d machine.domain.com certificate on the master node.
On the master node all is working well.
On the slave node I have SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch and apache doesn’t start.
keys and apache confs reside on a drbd volume shared between the two nodes.
If I disable ssl apache starts without problems.

Help please


#2

Hi @rgallo,

What did you share over from the master node to the slave node? Do you share all of /etc/letsencrypt and is it shared at the exact same location?


#3

yes and it is shared at the same location


#4

Could you try running these two commands?

openssl x509 -modulus -noout -in /etc/letsencrypt/live/machine.domain.com/cert.pem
openssl rsa -modulus -noout -in /etc/letsencrypt/live/machine.domain.com/privkey.pem

The output of these two commands is not sensitive (although sharing it will allow someone to determine your domain name). The important question is whether the two commands give exactly the same output.


#5

openssl x509 -modulus -noout -in machine.domain.my.pem
Modulus=BFE5E865EB2A77C8749D4884A0CAD56591C73F7BA4C71B21F314EF78051DEA81CE297F2D043F705B265E846D51935740B4453CC37D15A0CE5426D37EE418ED97BB0F6675706CCE53ED10FBFF667173EE798AA87C7D02AD988C0B55C9BEB6756EE2B9DFBF8CCB425051D19A67B517C7F88CF2AB381F0432F2859FB86B8A00CD15053BAB0AC2FE6C703405AD9746C6A790A5726C1F46E216682DB2C794E3982E453FE7A767952DA5F3398C978F8A6ADAD5C466894B97A484646C1820BB0AD7BE18639A88DD20ABDE3836F3DA99384668D835DE69198064361902DACFE8A68190A7E5FC4451CFAE3AB1780AC179BFA6D1C3864C759B5D8F612E8670DB0BD5A4014FE5E67FD4022B4D7D9BEC9B2ED63CD26E3324997803C4501EA7D78E7A3C51B6869516AA78EDC737F79997B38826F1A1580265CF5D22C743997B07D0E7E26D19BA19B7091476F40FB14D5F815B933534CB162110772E8DAE733FEF9A98073365BA98925F83C723D2C5843542CCFC1E48F600CE0475E1398911FF35C67F7C4C70733D564F86297DBB331480136FC95B0618661F08B4B83C0862609A48355AD1822A6BE8E745FDB5BCBF68E1D87F7C8129F71349BB5CFD9935DCDB4FC41AF9521CCC4E3E5BF19233EF0BD407FCA5E5D95302022019F24087B2E60E64609FE3FD980773969841ACB4560E3F28CF56ECD7C043BF82714F41ED09B04167CD1FFF506FE3

openssl rsa -modulus -noout -in machine.domain.my.key
Modulus=BFE5E865EB2A77C8749D4884A0CAD56591C73F7BA4C71B21F314EF78051DEA81CE297F2D043F705B265E846D51935740B4453CC37D15A0CE5426D37EE418ED97BB0F6675706CCE53ED10FBFF667173EE798AA87C7D02AD988C0B55C9BEB6756EE2B9DFBF8CCB425051D19A67B517C7F88CF2AB381F0432F2859FB86B8A00CD15053BAB0AC2FE6C703405AD9746C6A790A5726C1F46E216682DB2C794E3982E453FE7A767952DA5F3398C978F8A6ADAD5C466894B97A484646C1820BB0AD7BE18639A88DD20ABDE3836F3DA99384668D835DE69198064361902DACFE8A68190A7E5FC4451CFAE3AB1780AC179BFA6D1C3864C759B5D8F612E8670DB0BD5A4014FE5E67FD4022B4D7D9BEC9B2ED63CD26E3324997803C4501EA7D78E7A3C51B6869516AA78EDC737F79997B38826F1A1580265CF5D22C743997B07D0E7E26D19BA19B7091476F40FB14D5F815B933534CB162110772E8DAE733FEF9A98073365BA98925F83C723D2C5843542CCFC1E48F600CE0475E1398911FF35C67F7C4C70733D564F86297DBB331480136FC95B0618661F08B4B83C0862609A48355AD1822A6BE8E745FDB5BCBF68E1D87F7C8129F71349BB5CFD9935DCDB4FC41AF9521CCC4E3E5BF19233EF0BD407FCA5E5D95302022019F24087B2E60E64609FE3FD980773969841ACB4560E3F28CF56ECD7C043BF82714F41ED09B04167CD1FFF506FE3


#6

OK, that looks good—how does your Apache configuration refer to these files?


#7

I wander why everything works perfectly on the master and breaks on the slave while all conf files of apache and certs are on the common shared drbd volume


#8

Could you run sudo apachectl -t -D DUMP_VHOSTS on both servers and see whether the output is identical?


#9

since all configuration files are on the shared drbd yes but I checked and I can confirm that


#10

Could you show the the output of this from both machines?

grep -r SSLCertificate /etc/apache2


#11

those are equal since the configuration files reside on the drbd volume


#12

Could you post that output here?


#13

on the master
/etc/httpd/conf.d/ssl.conf:# Point SSLCertificateFile at a PEM encoded certificate. If
/etc/httpd/conf.d/ssl.conf:#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
/etc/httpd/conf.d/ssl.conf:SSLCertificateFile /etc/asterisk/keys/VERY.secret-machine.name.crt
/etc/httpd/conf.d/ssl.conf:#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
/etc/httpd/conf.d/ssl.conf:SSLCertificateKeyFile /etc/asterisk/keys/VERY.secret-machine.name.key
/etc/httpd/conf.d/ssl.conf:# Point SSLCertificateChainFile at a file containing the
/etc/httpd/conf.d/ssl.conf:# the referenced file can be the same as SSLCertificateFile
/etc/httpd/conf.d/ssl.conf:#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
/etc/httpd/conf.d/ssl.conf:SSLCertificateChainFile /etc/asterisk/keys/VERY.secret-machine.name.pem

on the slave

grep -r SSLCertificate /etc/httpd/
/etc/httpd/conf.d/ssl.conf:# Point SSLCertificateFile at a PEM encoded certificate. If
/etc/httpd/conf.d/ssl.conf:#SSLCertificateFile /etc/pki/tls/certs/localhost.crt
/etc/httpd/conf.d/ssl.conf:SSLCertificateFile /etc/asterisk/keys/VERY.secret-machine.name.crt
/etc/httpd/conf.d/ssl.conf:#SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
/etc/httpd/conf.d/ssl.conf:SSLCertificateKeyFile /etc/asterisk/keys/VERY.secret-machine.name.key
/etc/httpd/conf.d/ssl.conf:# Point SSLCertificateChainFile at a file containing the
/etc/httpd/conf.d/ssl.conf:# the referenced file can be the same as SSLCertificateFile
/etc/httpd/conf.d/ssl.conf:#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
/etc/httpd/conf.d/ssl.conf:SSLCertificateChainFile /etc/asterisk/keys/VERY.secret-machine.name.pem


#14

clues anyone ? No answers in awhile


#15

found that in /etc/httpd/conf.d/schmoozecom.conf the names for the http virtualhosts are the ones of the main node… how can I do so that those are equal to the https one?


#16

I’m sorry to say that I don’t really have any other suggestions about how to make your configurations equivalent; I’m not familiar with this synchronization method but it looks like most of the relevant files are exactly the same. Is /etc/httpd not automatically synchronized in its entirety between the two machines?


#17

the problem was in /etc/hosts if you want that to work you must put all hostnames following 127.0.0.1