Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
High availability
»
ACME client certs, HA Proxy and OPNsense Master/Slave
« previous
next »
Print
Pages: [
1
]
Author
Topic: ACME client certs, HA Proxy and OPNsense Master/Slave (Read 896 times)
ednt
Jr. Member
Posts: 51
Karma: 2
ACME client certs, HA Proxy and OPNsense Master/Slave
«
on:
June 24, 2024, 09:11:14 am »
Hi,
today I did an update of our 2 OPNsense firewalls.
Update 'slave' no problem.
'Master' entering Persistent CARP Maintenance Mode -> colleagues noted that some webpages tells:
outdateded cert.
The certs are synchronized and the latest version were available on the 'slave'.
But the HA-Proxy on the 'slave' did never a restart to activate the new certs.
I had to restart the HA-Proxy on the 'slave' manually to activate the latest synchronized certs.
Is there a way to avoid this problem?
I only update the ACME certs on the 'master'.
Best regards,
Bernd
Logged
Monviech (Cedrik)
Global Moderator
Hero Member
Posts: 1597
Karma: 176
Re: ACME client certs, HA Proxy and OPNsense Master/Slave
«
Reply #1 on:
June 24, 2024, 09:15:14 am »
https://github.com/opnsense/plugins/issues/4012#issuecomment-2149700349
Logged
Hardware:
DEC740
ednt
Jr. Member
Posts: 51
Karma: 2
Re: ACME client certs, HA Proxy and OPNsense Master/Slave
«
Reply #2 on:
June 25, 2024, 08:49:33 am »
Yes, but pressing a button is not the solution.
Maybe you don't have to change anything. A working and running configuration.
The master refreshes the certs.
The old ones are outdated.
Now it happens. CARP is switching over and all HA with offloading results in a cert error.
There should be a 'schedule' in System, where you can include a sync job with restarting services.
(in my opinion)
Or an addition to the ACME job:
Sync the certs and restart all jobs which can be affected by the certs when one of the certs is renewed.
«
Last Edit: June 25, 2024, 09:57:23 am by ednt
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
High availability
»
ACME client certs, HA Proxy and OPNsense Master/Slave