Hi,
I'm running two firewalls in HA mode and sync from fw1 to fw2 works great. I also have OpenVPN server on both of them and when first fw goes down I use second one as OpenVPN server as VRRP address becomes primary there. That means that I need to have all the user certificates on a secondary server.
For Web interface I'm using ACME certificate and fw1.domain.com is different from fw2.domain.com.
If I enable synchronization of certificates - the sync process transfers all certificates, including fw1.domain.com and deletes the certificate for fw2.domain.com that I'm using on secondary firewall for web interface.
Is there an option to add "don't delete certificates on secondary server" setting on the synchronization configuration page?
Cheers, Jan Zorz
I use SANs (subject alternate names) in the certificate to cover all relevant hostnames in an HA configuration. E.g. "gate.mydomain.com" (VIP), "gate1.mydomain.com" (node 1), "gate2.mydomain.com" (node2).
So one and the same cert for both nodes.
That's a neat idea, thnx!!!
How do you redirect the acme challenge http request for a secondary node to the primary node that is doing the certificate renew? haproxy?
Chers, Jan
I use acme-dns, not HTTP.
I don't know if anything has recently changed in OpenVPN, but normally you don't need to have all user certificates on both nodes. In fact you don't need to have any of them on your firewall(s) at all.
Technically all that should be necessary is the CA so that the OpenVPN server can validate the user's certificate chain. You could be issuing user certificates in another system and deploy them through whatever mechanism to your clients, it should still work
Ahhh... true! Thank you for that. So technically I don't need to sync all the certificates until I have to renew the CA...
Cheers, Jan