Backup server and let's encrypt

Discussion in 'Installation/Configuration' started by EncrierDigital, Apr 13, 2018.

  1. EncrierDigital

    EncrierDigital New Member

    Hello,
    System : Debian 9.4
    IspConfig : 3.1.11
    I'm installing a mirror server of the main server. With rsync for files and mysql replication for websites.
    I'm wondering how to deal with let's encrypt certificate for the website.
    If I check "let's encrypt" a new certificate will be generated, thus i will have different certificate on production server and backup server.
    Will both certificate remain valid ?
    Thanks by advance for your reply
    Fran├žois
     
  2. Poliman

    Poliman Member

    It all depends from dns setup. Letsencrypt will work nice and renew without problem on this server which is pointed in dns zone. :) Letsencrypt will get "renewal faild" when it try check specific domain related to A record in dns. If it won't find matches it won't renew cert and after month (renewal process starts month before cert expiration) cert will expire.
     
  3. EncrierDigital

    EncrierDigital New Member

    Hi,
    Thanks, there will not be another DNS entry as this box should works in case of disaster on main server only.
    I can copy certificate by RSync too, what i'm wondering is that if new certificates are issued on the backup server, will the certificates on the prod server will stay valid.
    But i guess let's encrypt do not invalidate certificates except when out of time...
    Best regards
     
  4. ahrasis

    ahrasis Well-Known Member

  5. EncrierDigital

    EncrierDigital New Member

    Thanks, Good guide by the way ;)
    Server A -> Production Website 'example.com' with a valid certificate until May 15 2018 for exemple
    I setup Server B
    Server B -> Live Backup of Website
    I create a certificate on Server B for Website Backup : will that invalid my certificate on Server A for my website ?
    Server B will not be online except if Server A is destroyed
    There will not be an entry for 'example.com' on Server B in DNS as we use fail over IP. By the way, will let's encrypt be able to create the certificate, i guess no.
     
  6. ahrasis

    ahrasis Well-Known Member

    If I were you, I will create server B FQDN as an aliasdomain to server A as in my extended guide for multi server setup (which includes basic backup / cluster server setup).

    There I have shown a way on how to create LE SSL certs for other server as an aliasdomain to the main server and how they can be automatically updated and copied upon their updates (which is basically extending the original incron script).

    If the main server failed and the backup server is to replace it, all LE SSL certs for second server will remain valid within its 90 days period, where you can use that time to reconfigure their renewal from this replacement server further on.

    About the main server FQDN that is not made available in the backup server dns zone, I think that a backup server should contains everything important / necessary from the main server.

    That's being said, I do think it is possible to create backup server FQDN website and have its LE SSL certs on its own, but you will have to explore ways on how to do it if that is your preference and weigh their pros and cons.
     
  7. EncrierDigital

    EncrierDigital New Member

    Hello,
    Thanks a lot.
    It's seems that all is working fine, the new server is ok and, i've seen that LE certificate are not IP related, so i think it will not be an issue anyway.
    Best regards
     
    ahrasis likes this.

Share This Page