ACME client certs, HA Proxy and OPNsense Master/Slave

[ednt]

Hi,

today I did an update of our 2 OPNsense firewalls.
Update 'slave' no problem.
'Master' entering Persistent CARP Maintenance Mode -> colleagues noted that some webpages tells:
outdateded cert.

The certs are synchronized and the latest version were available on the 'slave'.
But the HA-Proxy on the 'slave' did never a restart to activate the new certs.
I had to restart the HA-Proxy on the 'slave' manually to activate the latest synchronized certs.

Is there a way to avoid this problem?

I only update the ACME certs on the 'master'.

Best regards,

Bernd

[Monviech (Cedrik)]

https://github.com/opnsense/plugins/issues/4012#issuecomment-2149700349

[ednt]

Yes, but pressing a button is not the solution.

Maybe you don't have to change anything. A working and running configuration.

The master refreshes the certs.
The old ones are outdated.

Now it happens. CARP is switching over and all HA with offloading results in a cert error.

There should be a 'schedule' in System, where you can include a sync job with restarting services.
(in my opinion)

Or an addition to the ACME job:
Sync the certs and restart all jobs which can be affected by the certs when one of the certs is renewed.