ACME Client does not sync

Started by anomaly0617, March 25, 2024, 01:28:35 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 25, 2024, 01:28:35 AM
Has anyone mentioned that the ACME client does not stay synchronized together with HA?

I see where some settings come over, but specifically certificates are not being copied, so if one server has the certificates and the other doesn't, when they flip-flop, suddenly a bunch of sites come up with non-existant/expired certificates. This is happening using the HAProxy Reverse Proxy solution. HAProxy is sync'ing up, but ACME-Client isn't.
April 29, 2024, 01:16:11 PM #1
acme-client can't run in HA mode.. it's just two separate instances creating certificates independently. I reckon this is going to be an issue syncing other configuration and mismatching on these different certificate pools.

https://github.com/opnsense/plugins/blob/master/security/acme-client/src/etc/inc/plugins.inc.d/acmeclient.inc#L83-L87


Cheers,
Franco
April 29, 2024, 01:21:58 PM #2
Caddy can do that.  8)

https://docs.opnsense.org/manual/how-tos/caddy.html#caddy-and-high-availability-setups

It can issue certificates on master and backup OPNsense automatically at the same time.
Hardware:
DEC740
Print
Go Up Pages1
User actions