SAN for load sharing meets certboot

NTS (Network Time Security) uses TLS on port 4060

I have 2 servers at ntp1.glypnod.com and ntp2.glypnod.com
Both have certificates from Let's Encrypt and work fine.

Both certficates also have a SAN entry for ntp.glypnod.com. DNS for ntp.glypnod.com has 4 addresses, the IPv4 and IPv6 addresses of ntp1 and ntp2. That works as expected. If ntpd askes for NTS via ntp.glypnod.com, DNS picks one and the certificate checking dance works via SAN.

The catch is when renewing. certbot wants to verify that I/it controls all the IP Addresses. But 2 of them are over on another machine. I can renew by removing the DNS entries for the other system from ntp.glypnod.com, renewing, then putting the DNS entries back.

Is there a better way?

Hi @HGM

yes.

Read

You can create redirects

http://ntp.gypnod.com/.well-known/acme-challenge/random-filename
-->
http://new-subdomain.gypnod.com/.well-known/acme-challenge/random-filename

The new subdomain has only one ip address. There run your Certbot with webroot.

3 Likes

Does your DNS provider support API-based updates? If so, then I'd recommend switching to DNS-01 challenges. Then you can take one of two approaches depending on what's easiest and makes the most sense for you:

  1. Having a system somewhere (could be one of those two, but doesn't need to be) use the DNS challenge to create the certificate with all three names (ntp, ntp1, ntp2), and then have some script run afterward that copies the new certificate to both servers.
  2. Have both systems renew their own certificate, with one making a certificate with names for ntp & ntp1 and the other making its own certificate with the names for ntp & ntp2.

If your provider doesn't support some sort of API for DNS, you may be able to get there anyway by setting up something like acme-dns.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.