New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
several instances behind layer 4 load-balancer / new "event" when challenges are created #237
Comments
I think cluster setups are very specific and as long as the server is not aware of them, what can a little module do? Therefore I prefer the approach where As you wrote, there is ideally only one cluster node that is attempting a renewal at the same time. To prevent simultanous efforts, the new "renewing" event can suppress it. How you want to realize that behaviour on your cluster, you can judge better than me. Maybe you could synchronize that info as well and attach a timestamp on it, so that a burning node will not block renewals indefinitely. |
In v2.3.7 BETA release I added the That means |
@icing while testing i see the following behaviour: |
You are correct. Right now, the 'challenge-setup' is an event without a return code. Someone is listening on that to trigger the script. But the return code does not propagate back into the process. I agree that this should be changed. |
…!= 0 exit), the renewal process is aborted and an error is reported for the MDomain. As discussed in #237, this provides scripts that distribute information in a cluster to abort early with bothering an ACME server to validate a dns name that will not work. The common retry logic will make another attempt in the future, as with other failures.
I changed this in master and also added a test case for it. Will make a new release soon. |
Release in v2.4.7. |
as discussed a few times, it is quite hard to set up mod_md when running multiple instances behind a load balancer.
in our current setup, certificates are renewed manually and the distribution is then done via our configuration management tool..
now we want to enable mod_md to automate cert renewals and have ocsp handled correctly.
the main problem is:
now, i see two possible approaches for this problem:
1
the latest work on the "event like" behavior of MDMessageCmd, especially the new "renewing" event allows to share the knowledge between the hosts via NFS as @root360-AndreasUlm described here: #234 (comment)
Now when NFS is not an option, the problem still exists, because the "renewing" event is triggered before the challenges are created, so it is not possible to manually distribute it among the nodes (via tha called script) at this time.
With another new event "challange available" introduced, our workflow would look like this:
then, by slightly different renew windows, we can avoid the situation where this whole process starts on two nodes simultaneously, but we are still able to renew certificate as long as one host is up and running...
so i think this would be a solution..
2
the second approach seems almost impossible. i was thinking about some combination of:
but i'm not sure whether it is possible for mod_md to detect an "unexpected" challenge request. also it is a problem in case the "master node" is unavailable..
The text was updated successfully, but these errors were encountered: