Mirror Server + LetsEncrypt

I am seeing that letsencrypt dirs are not synchronised. Should this happen with Unison? I checked the (bought) config manual but it's not in there?

 

Okidoki, thnx Till

 

Wouldn't it be sufficient on the the mirror to just rsync the /etc/letsencrypt folder regularly?

I mean the LE certs are valid for 90 days. After 60 days the should get autorenewed.

So with a daily cron ( rsync -avp /etc/letsencrypt/ user@mirror:/etc/letsencrypt ) it would sync the current certs once per day to the mirror. Since there's a 30-day grace period before the certs expire I think it's not harmful if the sync of the new cert is like 1 day laters.

 

I see. I don't use mirror setup so I know too little about it.

 

I think im gonna switch back to a single server and just have a 2nd web/mysql host.

 

Hey Guys,

i have set up an ISPConfig mirror Setup with two nodes. With Shared IP on 2 local load-balancers. DNS for Websites is set on the Shared-IP.

i have added an acl in haproxy that the access to "/.well-known/acme-challenge" reach every time only server 1.

there is a cert-Sync between the servers with unison, all no problem. If Cert gets created, there is no problem with website access, even if automatic loadbalanced.

My Problem is: 2nd server tries to created Cert Request and i do not know how to prevent him from doing this.

Is there any chance to let certs only create/requested on server 1? This little thing is missing for me to have a perfect Ispconfig Mirror

thx for help

 

Currently ( I don't use ISPConfig mirror feature ) I use some hackish ( cronjob, not inode watch based yet ) attempt best described in code:

Code:

$data = '';

try {
    //* Login to the remote server
    if($backup_session_id = $backup_client->login($backup_username,$backup_password)) {
        $data .= 'Logged into remote server sucessfully. The SessionID is '.$backup_session_id."\n";
        $webseiten = array(10,11,12,13,14);
//        $webseiten = array(10);
        foreach($webseiten as $id) {
            $r = $backup_client->sites_web_domain_get($backup_session_id, $id);

            $filename = '/var/www/'.$r['domain'].'/ssl/'.$r['domain'].'-le.bundle';
            $ssl_bundle = file_get_contents($filename);
            $filename = '/var/www/'.$r['domain'].'/ssl/'.$r['domain'].'-le.crt';
            $ssl_cert = file_get_contents($filename);
            $filename = '/var/www/'.$r['domain'].'/ssl/'.$r['domain'].'-le.key';
            $ssl_key  = file_get_contents($filename);

            $r['ssl_bundle'] = $ssl_bundle;
            $r['ssl_cert']   = $ssl_cert;
            $r['ssl_key']    = $ssl_key;
            $r['ssl_action'] = 'save';

            $backup_client->sites_web_domain_update($backup_session_id, 0, $id, $r);
        }
        if($backup_client->logout($backup_session_id)) {
            mail('zguzig', 'sync', 'SSL-Zertifikate synchronisiert'. "\n". $data);
        }

    }

I just don't use LE on backup-server but let it save the files as it has been issued by some commercial cert provider.

 

I am also using the mirrored solution for ISPconfig. When i click on the Letsencrypt checkbox the certificate is requested and approved for Letsencrypt. But the checkboxes for SSL en Letsencrypt are not checked. Is this also the same problem described by till? The website can be accessed througd https.

 

And i can solve this to create a NFS share and put the LE folder on this share? Or is this solved in the git-stable release?

 

Can you tell me how to do this? the NFS is clear for me but not how to put the Letsencrypt and acme folder on the NFS share:

The only option that I see at the moment (beside using DNS based LE verification outside of ISPConfig) is to have /etc/letsencrypt and /usr/local/ispconfig/interface/acme/ on a shared filesystem (e.g. share these folders from master to all slaves with nfs.

 

I have setup a running Version with Unison and iWatch.

iWatch Daemon looks for Directory Changes in Letsecrypt folders (see above). And Unison will sync needed Files. Until now, it works ok. I think shared FS should be better as well

Thx for help

 

Thanks @nighty985. It sound like this iwatch you mentioned is almost similar to inotifywait.

 

What i did right now is i create 3 VPS. 1 NFS and 2 ISPconfig server where the second server is a mirror of the first server. Everything is now working perfect

 

yes, you´re right, but it is easier to use as daemon:

when the challenges for letsencryp are created, we have to immediately sync these files. if not, maybe validation fails. this scenario works good for me until now.

seemts that ispconfig tries in my case 12:06, 03:00 and 00:38 to do something with letsencrypt certificates.
I got Mails that locks for certbot are created. Maybe this is a check for cert renewals.

here are the configs (still testing, but maybe it helps someone):
/etc/iwatch/iwatch.xml:

Code:

<?xml version="1.0" ?>
<!DOCTYPE config SYSTEM "/etc/iwatch/iwatch.dtd" >

<config charset="utf-8">
  <guard email="[email protected]" name="iWatch"/>
  <watchlist>
    <title>Letsencrypt+Webroot</title>
    <contactpoint email="[email protected]" name="nighty"/>
    <path type="recursive" syslog="on" exec="/usr/bin/unison">/etc/letsencrypt</path>
    <path type="recursive" syslog="on" exec="/usr/bin/unison">/usr/local/ispconfig/interface/acme/</path>
    <path type="regexception">.log</path>
  </watchlist>
</config>

in your Unison these pathes have to be synced, in my case /var/www is also included in the unison profile, but it is not needed to get notified via iwatch for changes.

additional i have a cron that triggers unison to sync /var/www folder - thats in this case not mission critical.