Same Domain, Multiple Servers (DNS Failover)


#1

I just set up let’s encrypt successfully on a standard apache2 installation on debian with two virtual hosts.

What I want to do now, is to set up a second dedicated host in a different location (different IP) which would be accessed in the case of downtime of the primary server through a dns failover service.

As far as I know, let’s encrypt / SSL is not tied to the IP, but rather to the Domain itself. So it should be possible to use the same set of keys/certificates for the failover host. Unfortunately, I couldn’t find anything on the web. So I’m just asking here: How would I proceed?

Is it sufficient to just rsync the contents of /etc/letsencrypt as well as the apache configuration files to the failover machine, or are there additional or divergent steps involved?

best,
laz


#2

You have a number of options.

You could just copy over the certificates ( which should work fine)

If you want a full copy of all the config etc, then you could rsync over everything. If this is just a “temporary failover location” though I personally keep it simpler with just the certs copied over.


#3

One extra thing to watch out for is that during renewals (so, probably every couple of months) Let’s Encrypt will want to re-validate your control of the domain, just as it did to create the certificates originally. So it pays to think now about how that will work for your extra failover machine. A few options come to mind:

  • If the failover server isn’t intended to become active unless a disaster happens, you know you’ll have at least a few weeks after such a disaster to decide what to do about the certificates, so you could do nothing now and just add “Let’s Encrypt certificates?” to the TODO list in the event of having to fail over.

  • You could use a means of validation like DNS that’s independent of this web server. Validation would still work if either (or indeed both) servers failed. You might need a different Let’s Encrypt client to do this, and it’s a bit less friendly for web admins, but it could suit your situation.

  • You could ensure that anything in the .well-known/ directory used by Let’s Encrypt is mirrored to the failover server so it doesn’t matter which server Let’s Encrypt ends up validating against.


#4

Thanks for your answers.

So, setup of a second host doesn’t seem to be a problem.

Which leaves me with renewal.

Right now, I just have a cronjob for auto renewal on the primary host.
If I understood correctly, I could trigger renewal from any machine. So in my case it would be sufficient to rsync the letsencrypt-installation to the failover, so I could trigger renewal from the second host in case of disaster (which is my usecase btw :wink: ?!


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.