Letsencrypt certificate issue on multiserver

Discussion in 'General' started by davefrooney, Jun 20, 2017.

  1. davefrooney

    davefrooney Member

    Hey guys, I am having trouble with letsencrypt certs on a multi web sevrer environment. I have enabled the letsencrypt on a number of domains through ISPConfig but the certs are only being created on one of my 2 webservers at any time, this seems to alternate as well. Has anyone else come across this issue? Is ISPConfig suppsoed to keep the certifictaes in sync?
    I am running Ubuntu 16.04 and Ispconfig 3.1.3.

    Thansk in advance for your help
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The only way to use LE on mirrored web servers at the moment is to use e.g. to share the folders /usr/local/ispconfig/interface/acme/ and /etc/letsencrypt between the tow servers by e.g. NFS or any other real-time network filesystem. The problem with LE is that you don't know if an LE request will reach server 1 or server two when you request a cert, so both servers have to share the same directory for the LE tokens and LE cert.
     
  3. davefrooney

    davefrooney Member

    Thanks for the info till. Is the token specific to the server? Will I need to re-generate the certs for all the sites?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    The token is created by LE locally when it is run to request a cert, LE then tries to reach this token "from outside" by connecting to the domain name the cert is issued for. So this token must be reachable from outside regardless which of the two server requested it, that's why I suggested using a directory that is shared over the network in real-time for it like an nfs share. I don't think that existing certs must be reissued as an SSL cert is always for the domains that it issued for and not for a specific server, so sharing the /etc/letsencrypt dir between the two mirrored nodes should work in my opinion. I have not tested that yet though.
     
  5. ressel

    ressel Member

    if you share certs on etc. NFS, will ISPconfig somehow reload the webserver sometimes to ensure newest certificate is in use?
     
  6. davefrooney

    davefrooney Member

    I created a shared folder for /etc/letsencrypt and merged the folders from the different web-servers. The certs are now working on both servers and the new certs are being created in the shared folder when they are generated.

    Thanks for the help guys
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    yes
     

Share This Page