Print Page - ACME client certs, HA Proxy and OPNsense Master/Slave

Title: ACME client certs, HA Proxy and OPNsense Master/Slave
Post by: ednt on June 24, 2024, 09:11:14 AM

Hi,

today I did an update of our 2 OPNsense firewalls.
Update 'slave' no problem.
'Master' entering Persistent CARP Maintenance Mode -> colleagues noted that some webpages tells:
outdateded cert.

The certs are synchronized and the latest version were available on the 'slave'.
But the HA-Proxy on the 'slave' did never a restart to activate the new certs.
I had to restart the HA-Proxy on the 'slave' manually to activate the latest synchronized certs.

Is there a way to avoid this problem?

I only update the ACME certs on the 'master'.

Best regards,

Bernd

Title: Re: ACME client certs, HA Proxy and OPNsense Master/Slave
Post by: Monviech (Cedrik) on June 24, 2024, 09:15:14 AM

https://github.com/opnsense/plugins/issues/4012#issuecomment-2149700349

Title: Re: ACME client certs, HA Proxy and OPNsense Master/Slave
Post by: ednt on June 25, 2024, 08:49:33 AM

Yes, but pressing a button is not the solution.

Maybe you don't have to change anything. A working and running configuration.

The master refreshes the certs.
The old ones are outdated.

Now it happens. CARP is switching over and all HA with offloading results in a cert error.

There should be a 'schedule' in System, where you can include a sync job with restarting services.
(in my opinion)

Or an addition to the ACME job:
Sync the certs and restart all jobs which can be affected by the certs when one of the certs is renewed.

OPNsense Forum

English Forums => High availability => Topic started by: ednt on June 24, 2024, 09:11:14 AM