Using let´s encrypt with mirror setup

Discussion in 'Installation/Configuration' started by andreasli, Feb 17, 2021.

  1. andreasli

    andreasli New Member HowtoForge Supporter

    Hi

    I planning to setup a mirror setup with Ispconfig. Currently I have a multiserver setup.

    What I want to do is to create a load balancer with failover. So the traffic is split between my servers and if one of my servers goes down my second server will take over.

    Based on my research it seems to be a problem when using let's encrypt, especially when renewing the ssl certificate. I have read in this forum that I can share the let's encrypt folders with nfs, but it seems to be hard when using a cluster setup. I want the ssl certifictes to always be available, even if one server goes down. What will happen if the nfs server goes down?

    So my question is, is there any solution to use let's encrypt with a cluster setup without using nfs?
     
  2. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I not so sure how LB works in your scenario but I think, if it is managed properly, you may use different certs for the websites on each server.

    Or, if you want to use the same certs, you could use rsync or any better or similar software to copy LE SSL folder to the other server.
     
  3. andreasli

    andreasli New Member HowtoForge Supporter

    Thank you for your answer @ahrasis.

    I plan to use unison to sync the files between the servers, including the let's encrypt certificates. What i don´t know is how the renewal process will work in this scenario.
     
  4. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    A NFS share is necessary for the renewal to be succesful. Rsync is not sufficient as this is not fast enough for the verification. If you only have one domain, you could do a DNS-challenge instead of a http challenge but this is officialy not supported by ISPConfig.
     
  5. andreasli

    andreasli New Member HowtoForge Supporter

    Thank you for the information. It seems like nfs is the best way to do it then.

    If i have three servers, two webservers and one nfs server and the ssl certificates is saved on the nfs server. What will happen if the nfs server goes down. Will the ssl certificates stop working or are they cached in any way?
     
  6. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Yes, that is the best choice and yes, if the NFS server is down, the web sites will have ssl error, unless you have its cluster backup up and running in its place immediately upon its failure.
     
  7. andreasli

    andreasli New Member HowtoForge Supporter

    Thank you for the help.

    Now I need to make a little bit more research and see if it is possible to create a nfs failover system.
     
  8. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    NFS failover should possible now. I did read a few guides but I never had such a need to test or implement the same.
     
  9. nhybgtvfr

    nhybgtvfr Active Member

    if you have a couple of spare servers/vm's. you could create a drbd cluster. that will replicate across the block devices much faster than rsync or unison, and a failover from the active server to the hot standby should be seamless, so it removes all single points of failure.
    if you have spare drives, or have the space to create a couple of new partitions on your existing webservers, it's possible to create a drbd cluster directly between them. it's a bit more work, and mounting locally is more awkward. but is do-able.

    it's not straightforward or simple though, if you've never used drbd before, expect it to take a while to get your head around it as it can get quite complicated/confusing very quickly.

    you don't say if your server's are physical, or vps's, or where they're hosted. it's possible that EFS, or objectiveFS (uses an s3 bucket) on aws, or spaces on digital ocean are suitable (more resilient) alternatives to an nfs server. google should have something similar too, or any other hosting/datacentre provider that offers external block storage devices to hosted servers/vps's.

    or depending on the load balancer, you could install letsencrypt/certbot on the lb and terminate SSL there, although that comes with it's own complications and automation difficulties, and still leaves you with having to replicate website files/databases.
     
    ahrasis likes this.
  10. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Obviously lots of solutions to the issue, one more would be using a clustered storage or filesystem (cephfs would be an example).
     
    ahrasis likes this.
  11. andreasli

    andreasli New Member HowtoForge Supporter

    Thank you for all answers.

    To answer the question from @nhybgtvfr. I use vps servers from the Finnish company UpCloud. They have two datacenters in Helsinki Finland, but also in other parts of the world. Because I live in Finland I use their data centers in Finland. I think that UpCloud has no tool for creating a cluster like amazon have. The idea is to have the servers split between the two datacenters in Helsinki.

    The reason why I want to have a cluster setup is in not because I have high load on my servers, but because I want the websites on my servers to always be available.

    I need to see if it is worth it to change my server system to a cluster setup, but thank you for all suggestions. It seems to be more complicated than i thought when using let's encrypt.
     
  12. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Depending on what you are hosting, you should also consider the extra work going into maintaining a mirrored setup, and there are more points of failure. Sometimes it is better to keep it simple, instead of having a complicated setup that goes down and needs much more time to restore.
     
    till likes this.
  13. andreasli

    andreasli New Member HowtoForge Supporter

    Yes, i agree that it can be too big and complex to maintain for my needs. Thank you for all help anyway. I will continue to use my multi server setup.
     
  14. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Try looking at Hetzner as an alternative. I think they also have datacenter in Helsinki, Finland.
     
  15. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Consider using a cdn to help with your website availability.
     

Share This Page