My situation is similar to this post: Storing certificates in a NFS mount
We’re running a swarm mode cluster, and Caddy will be the frontend as a reverse proxy, which also handle the TLS certificates stuff (LE).
To minimize the down time, we want to run multiple instances of Caddy, such as docker service create --replicas 3 ...
, and docker swarm mode ingress mesh-routing will handle the load balance for us.
As all the instance are served for the same domain(s), we don’t want them to request the certificates for the same domain separately, so we plan to use a NFS-like storage to share the certificates across the hosts in the swarm cluster, so those Caddy reverse proxies can share the same certificates.
Will this setup work for renew the certificates?
With this setup, will the all three instance send the renew request at the same time? Is that possible after one of the instance fetch the new certificate, then others found the certificate is new and not necessary to send a renew request again?
I checked the source code here:
https://github.com/mholt/caddy/blob/e49474a4f555d2b8ebfac504fb9a2d3bad08730e/caddytls/maintain.go#L50
and here:
It seems the Caddy will check the certificate for renew for every 12 hour, is it mean that if those 3 Caddy instance start at the same time(almost), they will all send the renew request at the same time, as no one finished the renew procedure yet?
Is that possible to add a randomness in the interval? so, all the 3 caddy instances will start the checking at different time, even if they start at the same time, so there will be enough time for one finished the renew procedure and, later, the rest instances will not request for renew certificates?