If I manage my own certs, do I still get these benefits?

I am considering how to set up two Caddy servers behind an haproxy load balancer. Yesterday I learned that I can use an NFS share to have two Caddy servers coordinate certificate management.

Today I am wondering if it may be better to do my certificate management on Caddy server A and manage the certificates myself on Caddy server B. I am concerned that NFS introduces a single point of failure.

What would I lose if I managed the certs by hand on Caddy server B? The docs list the benefits below. Would I still get these benefits (aside from auto-management, of course) on my Caddy B?

In summary, Caddy implements these TLS features for you automatically. It is the only server to do so by default:

Session identifiers
Session ticket key rotation
OCSP stapling
Dynamic record sizing
Application-layer protocol negotiation
Forward secrecy
HTTP/2 (for the HTTP server)
Certificate management (including auto-renew)
Man-In-The-Middle detection (for HTTPS sites)

Keep in mind that Caddy loads certificates from storage into memory just once and doesn’t touch storage again (for certificates) until a renewal is needed, which is once every 60 days. If your NFS mount is down for 60 days, then yeah that’s a problem.

You’d lose certificate management (auto-renew) – nothing else.

But I strongly recommend letting certificate management be automated, it’s much safer in the long run. :slight_smile:

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.