Has anyone mentioned that the ACME client does not stay synchronized together with HA?
I see where some settings come over, but specifically certificates are not being copied, so if one server has the certificates and the other doesn't, when they flip-flop, suddenly a bunch of sites come up with non-existant/expired certificates. This is happening using the HAProxy Reverse Proxy solution. HAProxy is sync'ing up, but ACME-Client isn't.
acme-client can't run in HA mode.. it's just two separate instances creating certificates independently. I reckon this is going to be an issue syncing other configuration and mismatching on these different certificate pools.
https://github.com/opnsense/plugins/blob/master/security/acme-client/src/etc/inc/plugins.inc.d/acmeclient.inc#L83-L87
Cheers,
Franco
Caddy can do that. 8)
https://docs.opnsense.org/manual/how-tos/caddy.html#caddy-and-high-availability-setups
It can issue certificates on master and backup OPNsense automatically at the same time.