It is OK if I run certbot renew from two identical machines without synchronizing the result of the runs? Would certbot re-use already issued certificates or would it re-issue the certificates on every machine?
It will re-issue them on each machine. This is nonetheless OK for many purposes because the certificates can co-exist and each be valid at the same time. But be aware of the Let’s Encrypt issuance rate limits:
1 Like
Well it didn’t work… the verification callback is going to a random clone (d’uh).
(http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization
How can I make the verification callback go to the same machine?
You can’t. Let’s Encrypt will connect to one of the IP addresses defined by your domain’s AAAA or A record at random.
You could proxy requests from one server to the other so it eventually reaches the right one, or you could share the .well-known/acme-challenge via NFS or so between the servers.
Or if your DNS provider has an API or you run your own DNS server, you could use dns-01 verification method instead, which doesn’t have this problem.
2 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.