Multiple servers -- backup / load balancing

ProgramMax · July 29, 2018, 3:47am

Hello,

I have 4 servers in the US: NYC, ATL, SEA, and LA.
For each server, I have a cert for the respective nyc.site.com, atl.site.com, etc.
When my code has the ability to select which server to use, it can explicitly request the corresponding subdomain. This part is fine.

The part I need help with is the domains they share.
Right now NYC has a cert for site.com, static.site.com, and www.site.com.
The other servers should also be able to host these domains.

I think what I need to do is choose one server to act as the primary. It can have a cron job to call certbot renew. Then it can then scp /etc/letsencrypt/live/www.site.com to the other servers.

Then I guess I’ll setup a cron job for the non-primary servers which only refreshes their subdomain such as atl.site.com.

Does this seem like the correct approach?

Thanks!

_az · July 29, 2018, 3:54am

Assuming that [nyc.site.com] and [site.com,static.site.com,www.site.com] are intended to be separate certificates, that sounds fine.

You can improve things slightly by not requiring the servers to be able to login to each other:

Use --reuse-key so the private key doesn’t change at renewal time
Publish fullchain.pem in a --deploy-hook on the primary server to a public location so the other servers can just pull it at their leisure

but that’s just nitpicking.

If you intended for this to be a single certificate, then using DNS validation might be a better choice, since each server would be able to authorize itself for all of the names independently.

system · August 28, 2018, 3:59am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.