SSL certificates for a backup server

I have a Let’s Encrypt certificate for

which is hosted on a VPS I rent from Ionos. The server is in the UK. The service from Ionos is generally very reliable, but there was once a 14-hour outage. I was thinking of paying for a real cheap, (and not particularly reliable) VPS in Germany. Then if the main one in the UK goes down, I can switch the DNS servers to point to the webserver in Germany.

What can/should I do about SSL certificates? Is coping the public and private keys over to the German server sensible? Then copy the SSL certificates over once/week or so.

You may ask why would I use a cheap and nasty German VPS. My reason is that if the main one only goes down once/year, the chances of the backup being down at same time is very remote.

1 Like

Hello :slightly_smiling_face:

You could copy the certificate (which contains the public key) and the private key. The latter poses certain security concerns/challenges. You could also just have the backup server acquire its own certificate when you switch the A/AAAA record to point to it during the outage. You should only have a few minutes of downtime owing mostly to propagating the A/AAAA record.

The main two approaches are:

  1. As @griffin says, have one server get the certificate, and then have whatever automation that renews the certificate also copy the certificate (and private key) to the other server, over some secure protocol.
  2. Have each server get its own certificate (generating its own private key). This requires the not-currently-active server to use the DNS-01 challenge (or somehow communicate with the active server to have it validate an HTTP-01 challenge for the inactive server but that sounds harder to me).

Though if you're really concerned about downtime, you may want some load balancer or CDN in front of both systems that checks connectivity to each and sends to whatever one is working. You could have that balancer be what terminates the SSL connection and gets the certificate, and then use a self-signed certificate or the like to communicate from that load balancer to the back-end servers. That's along the lines of what bigger need-to-be-up-all-the-time businesses do, and all the major "cloud" services and CDNs have solutions along these lines, which you might find to be worth looking into.

1 Like

The issue here is that OP is using two VPS hosting providers with neither a particular reliable uptime. Such a load balancer would require a very good uptime to do its job properly and that's the core issue here :wink:

Not sure if free/very low cost load balancers with very good uptime are available though. Does CloudFlares free plan offer such a fail-over option?

1 Like

Thank you. What keys need to be copied? Obviously the Let’s Encrypt keys, but are there any more “global” keys that need copying? The use of ssh should be good enough for me.

I use

to check whether the website is working. That’s the best I have found as I configure it to look for a specific word (attenuator) on my homepage, So unlike other services I have seen, it doesn’t just detect that the server is responding on port 443, but whether the response is what is to be expected. So far, according to that, there have been two 1-minute outages in 2021. That’s shown as an uptime of 100.00%, but they really should add another decimal place. I calculate it is 99.998%.

I get sent a text and email if there are problems.

I think for a small company, that sort of uptime is more than adequate, but there was once a 14-hour outage that I could have done something about had I had a backup server running.


1 Like

If you use Certbot, you should copy privkey.pem and fullchain.pem. Unless you use the --reuse-key option, both files will change (together) at every certificate renewal.

Assuming that the second server is only going to use the certificate and not itself try to perform renewals on it, no other files should be necessary.

With Certbot, you can automate this copying by writing a script and calling it with Certbot's --deploy-hook option—then it will run automatically after every successful certificate renewal.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.