Hi, I have question regarding to clustered ISPconfig and Let's encrypt functionality. I've created two servers ISPconfig cluster according to this article. Everything works just fine except Let's encrypt. Problem description: When I enable Let's encrypt on any website it triggers letsencrypt on both servers but only one is able to finish verification because DNS A is pointing only to one of this two clustered servers. Result is that letsencrypt cert is created and available on one server in the cluster but globally it fails. What I can do then is just go to MySQL and manually configure SSL and letsencrypt enabled and everything works just fine. This is very annoying workaround and it's not possible to do this for every website. Do you have any idea, solution or recommendation for clustered ISPconfig and Let's encrypt? Thanks
I guess the only solution is to put the /etc/letsencrypt directory and the directory /usr/local/ispconfig/interface/acme on a shared network filesystem (e.g. by using NFS) so that both servers share the same LE directories.
Interesting solution but I was wondering on what will happen if the host failed since the purpose is to run the mirror server, if the main server failed.
Certificates are copied by ISPconfig from letsencrypt folder to website ssl folder automatically (for example /var/www/clients/client1/web5/ssl/). All folders in /var/www are mirrored on both servers so if you lost primary server everything will work fine except new LE request. For me it's perfectly fine because loss of primary server is emergency situation and must be solved asap (it has higher priority than adding new websites).
I am currently building up the same, so I am wondering whether, basically, nfs is copying them just like scp does? I found a lot materials with regards to both but currently am using the later while am trying to create a script for it, that is why I am asking i.e. to know which one is better or preferred. There are other suggestions that I found in my searches like resync or even ssh code like this instead: Code: tar cf - /your/folder | ssh user@remoteMachine "cd /destination/folder ; tar xf -" More readings only made me uncertain on which one to choose. What do you think?
Rsync cannot be used for these two folders as they have to contain the same content in real-time. Otherwise, LE will fail when it would try to create the verification token on server one but the http request is received on server2 when it's an active/active cluster. For an active/passive cluster, rsync might work, but you would have to modify the ispconfig code a little bit to ensure that certbot is never invoked on the slave server and you will have to ensure that rsync for the ssl cert is always run before ispconfig tries to configure a vhost, otherwise apache or nginx might fail when the SSL cert on the slave does not exist yet at that time.
You can also use some advanced replication methods but it's a bit overkill from my point of view. https://en.wikipedia.org/wiki/Distributed_Replicated_Block_Device
Just a note: We plan to implement DNS auth for LE (it is required for wildcard certs anyway) and this will make things easier as we don't have to share the acme directory then anymore in realtime. And replication of the cert itself might happen in ispconfig then. But that's for the future, so not a solution at the moment.
Thank you very much for the answer and info. I have decided to use NFS as well for my cluster server.
I am running an ISPConfig 3.1.12 failover cluster on Debian 9, using a cluster ip, which I can switch between the two Servers. Both Servers are configured with their own and the cluster ip. Since a while, Letsencrypt certificates are no longer issued on the second node, when I create or modify a domain. Any idea on that?
