Syncing certificates between a load balanced server (permissions, best practices, etc.)

carpool · November 6, 2019, 4:44pm

So my configuration looks like this

User -> Cloudflare -> Cloudflare Load balancer
-> 50% -> Server 1
-> 50% -> Server 2

Server 1 and server 2 are identical, Ubuntu 18.04 with NGINX

I’ve set it up so I can generate certificates on server 1, and have a static.server1.com dns for verification purposes. It issues certificates perfectly!

*** Question ***

What is the best way to sync the certificates from Server 1 to Sever 2?

I read in another thread that I should sync the entire /etc/letsencrypt/ folder, so I tried rsync and ran into permission errors. Before I go about changing the permissions I thought I would ask here and see if there are any suggestions.

Thanks!

Osiris · November 6, 2019, 6:05pm

rsync through a secured channel (e.g. SSH) is probably a good way to distribute the private key and certificate(s). The private keys should be root accessible only, so if you’re using an other user to access the private key(s), you’ll run into permission errors indeed. I personally don’t see an issue with running rsync as root to synchronise the private key(s) and certificate(s).

system · December 6, 2019, 6:05pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.