I have 2 webservers running with one failover IPv4 adress and one failover IPv6 subnet. In case of down time, the web traffic is redirected to the other webserver via the failover addresses. In order to be able to use Let’s Encrypt, I intend to mount a webdav share on the .well-known folder in both webservers. That way, one webserver should be able to renew its certificates even if the web traffic is redirected to the other server. Do security considerations speak against this setup?
The challenge data that gets stored in
/.well-known/acme-challenge is not a secret (in most threat models). If you intend to allow the WebDAV server and both webservers to be trusted to obtain certificates for your domain name, this shouldn’t be a security problem.
I’ll use encfs then. Something like this:
mount -t davfs webdav_share /mnt/webdav
if [ -d /mnt/webdav/encfs ]; then
su - normal_user -c "ENCFS5_CONFIG=/home/normal_user/.encfs.xml encfs /mnt/webdav/encfs /var/www/localhost/.well-known"
I have not tried out above, yet.
Thanks for the feedback,
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.