SSL for multiple servers serving single domain

jeremyj11 · May 10, 2021, 4:56pm

1. Caddy version (`caddy version`):

v2.3.0

2. How I run Caddy:

Running on a Linode shared instance using systemd, Caddyfile

a. System environment:

Ubuntu 20.0.4

b. Command:

systemctl start caddy

d. My complete Caddyfile or JSON config:

example.org {
  root * /var/www/example/app/api/public
  file_server
  php_fastcgi unix//run/php/php7.3-fpm.sock
  encode gzip
}

3. The problem I’m having:

I have auto ssl working flawlessly on a single domain and server in the USA.
Now I’d like to set up another identical server in Australia and use Geo DNS to route users according to whichever server is closer.
The problem is SSL - what is the best way to manage SSL certs across both servers?
Shared caddy storage is out of the question due to the physical distance between the 2 servers.

4. Error messages and/or full log output:

none

5. What I already tried:

I can use rsync and cron to copy ssl keys and certs from one server to the other every day, but I’m just wondering if there is a better way…
ACME DNS challenge should work except that my DNS provider (Zilore) is not supported…
I guess it could be time for me to learn golang and implement the Zilore support myself.

Just wondering if anyone has any advice before I start learning golang?

6. Links to relevant resources:

francislavoie · May 10, 2021, 5:09pm

Well, you need shared storage. That is the solution.

But it doesn’t need to be filesystem storage, you may use any of the available storage plugins (e.g. Redis, Consul, DynamoDB):

jeremyj11 · May 13, 2021, 6:24pm

Thanks Francis I’ll look into shared storage…

I’m wondering though what will happen in the following situation:

Server 1 in USA and Server 2 in Australia are using shared Caddy storage.
domain example.org currently has DNS A record pointing to Server 1
Server 1 automatically gets SSL certificate.
Server 2 sees the SSL certificate and uses it.
… some time passes …
Server 2 sees the certificate will expire soon and tries to re-new the certificate and cannot as DNS A record points to Server 1
What will happen?

matt · May 13, 2021, 6:30pm

Server 1 will receive the challenge request and solve it, and both servers will use the renewed certificate.

In general, though, shared storage is beneficial behind the same IP address so that multiple Caddy instances can act as one. With your DNS only pointing to one server, you lose that redundancy. How will server 2 ever be accessed with the DNS only pointing to server 1 anyway?

jeremyj11 · May 13, 2021, 6:53pm

Geo DNS. Users in USA are routed to server 1, users in Australia are routed to server 2. Plus failover - if one server goes down, all users are routed to the other.

matt · May 13, 2021, 6:58pm

Ok, so the DNS actually points to both. That’s better. And you’ll get the same result. Let’s Encrypt uses multi-perspective validation so you’ll get challenge requests from multiple different networks. Caddy works just fine in these scenarios when sharing storage.

jeremyj11 · May 26, 2021, 7:10pm

Thank you all, this has been working well for the last couple weeks 1 server in USA, 1 server in Australia both using the same caddy json config file, caddy.storage.s3 module with Linode object storage and redis.

system · June 9, 2021, 4:56pm

This topic was automatically closed after 30 days. New replies are no longer allowed.