-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
implemented event "renewing" (#233) #234
Conversation
Signed-off-by: Andreas Ulm <andreas.ulm@root360.de>
Just noticed that the staging area does not get cleaned afterwards.
|
@icing should I implement cleanup of staging area when renewing event-command fails? |
(Planning to merge this today.) @root360-AndreasUlm I guess cleaning staging would be counter-productive as another cluster node is most likely using it? But it touches a point: if a cluster node restarts, it might reset an existing staging. This needs then also be prevented somehow... |
hello im not sure if i understand the whole discussion correct, but would this new event interface (especially the "renewing" event) allow me to distribute the temporary certificate used for tls-alpn/1 challenge among several nodes? the problem is, we have several instances behind a load balancer. because we cannot ensure that the load balancer forwards the request to the one host which initially asked for cert_renewal, the idea is to distribute the challenge, so that each host can answer this challenge.. could this be achieved by this latest commits, i.e does the script get this info on the "renewal" event? after that, the certificate can be distributed to all nodes in the cluster when one triggers "installed"... thanks a lot for clarification! |
@daum3ns We created a setup with mod_md that stores the whole MDStoreDir on a NFS shared between all nodes behind the loadbalancer.
Maybe you can use this setup description for your systems too. |
The shared directory approach makes things easier, but that may not be common on clusters. We can add another "event" (call to MDMessageCmd) when challenges have been created. The only caveat here is that all invocations during the renewal process are made as "www-data" (or whatever user your server process is running on). So, if this is not an obstacle, we can certainly add more invocations. |
thanks for your answers! or even more extrem: could the challenge for the next renewal already be prepared immediately after a cert renewal.. like this we would have loads of time to distribute it among the nodes... sorry if this question is entirely stupid, but i dont understand the module 100% atm... |
No the "renewing" event is triggered before the challenge is created thus it would require an additional new event. @daum3ns can create a new issue describing your intention and use-case the we can discuss the implementation there. |
We follow up the discussion on the new ticket. @root360-AndreasUlm are we fine with closing this issue, now that the feature has been implemented? |
Yes, we can close this issue now. Thanks. |
Signed-off-by: Andreas Ulm andreas.ulm@root360.de