STS does not pin to an specific Public Key so there are two options:
a) Each server has its own FQDN with own keys srv.example.net
b) They use round robin DNS then they should also use all the same private key.
IRC (mostly) always uses round-robin in case there are multiple servers so that users connect to irc.example.net and if one server goes down, they reconnect and then get to working server.
So it’s not possible to have different valid key for all servers of the round robin?
Hi,
yes it is possible. But you have to decide who is the “key-master” because you need one person who have the account key for issuing the certificates. You can request the cert again. But in this usecase i would sugest using the same key/cert for all server in one “cluster”. Alternative you use CNAME that mean user irc.example.net is an cname for multiple A records. Each with its individual key. But i am nut sure how the client will handle this case.
I've set up a test bed using InspIRCd and NGINX acting as reverse proxies to round robin incoming challenge requests.
Each node is available as irc.example.com as well as its own name ircN.example.com and MUST NOT answer challenge requests for other names than those two names
upstream acme-challenge {
server irc1.example.com:443;
server irc2.example.com:443;
}
This is working well so far. Another yet unsolved problem is fingerprinting wheras you can't just replace your certs without informing each other node about the new fingerprint beforehand.