Messages

Ah right, the OPNWAF-made certificates are not included in /conf/config.xml that is synced to the Backup. The Caddy way seems to be somewhat bumpy, but the ACME plugin + OPNWAF could be a viable solution, I will give it a try. Thanks for the hint!

Another possibility, somewhat harsh though, would be to reboot the Master from time to time to make the Backup take over and force it to renew the certs. :-)

Hello,

We have two OPNsense nodes in High Availability setup. We use the OPNWAF plugin to proxy back-end hosted web sites. The plugin automatically manages TLS certificates from Let's Encrypt using the ACME protocol.

I've realized that the certificates are not synced from Master to Backup. The folder structure /usr/local/md/domains, where the certificates are stored on Master, is created on Backup but each subfolder contains a fallback cert+key only. In the result, when the Backup node takes over, all web sites throw a certificate error. The certs do get gradually renewed from LE but it takes a while during which the web sites are unreachable.

Is this on purpose? Wouldn't it be better to synchronize the certs+keys from Master to Backup as well?

Thank you,
Ivo