ACME client certs, HA Proxy and OPNsense Master/Slave

Started by ednt, June 24, 2024, 09:11:14 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 24, 2024, 09:11:14 AM
Hi,

today I did an update of our 2 OPNsense firewalls.
Update 'slave' no problem.
'Master' entering Persistent CARP Maintenance Mode -> colleagues noted that some webpages tells:
outdateded cert.

The certs are synchronized and the latest version were available on the 'slave'.
But the HA-Proxy on the 'slave' did never a restart to activate the new certs.
I had to restart the HA-Proxy on the 'slave' manually to activate the latest synchronized certs.

Is there a way to avoid this problem?

I only update the ACME certs on the 'master'.

Best regards,

Bernd
June 24, 2024, 09:15:14 AM #1
Hardware:
DEC740
June 25, 2024, 08:49:33 AM #2 Last Edit: June 25, 2024, 09:57:23 AM by ednt
Yes, but pressing a button is not the solution.

Maybe you don't have to change anything. A working and running configuration.

The master refreshes the certs.
The old ones are outdated.

Now it happens. CARP is switching over and all HA with offloading results in a cert error.

There should be a 'schedule' in System, where you can include a sync job with restarting services.
(in my opinion)

Or an addition to the ACME job:
Sync the certs and restart all jobs which can be affected by the certs when one of the certs is renewed.
Print
Go Up Pages1
User actions