-
-
Notifications
You must be signed in to change notification settings - Fork 797
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cluster aware task and renew process #756
Comments
The simple but honest answer is that you cannot do either of those things right now. I can think of some workarounds, e.g. to run LEWS on a dedicated machine outside of the cluster, saving certificates to the CCS on the cluster through a network share. That creates a SPOF, though not a very critical one because renewal only needs to happen every 60 days or so. Another option might be to configure the scheduled task in such a way that it imports a .reg file from a network share before running, and exports it to the same location after running. If that feels a bit dirty, that's because it is :). I'll label this as a request for enhancement because there is not really a good reason why we should use the registry to store anything. |
Thanks for your quick feedback. I already wondered why you save so many domains in registry. I think a sqllite database may be better. Using a textfile or xml file may also work, but I‘m not sure how fast it is if you have 10.000 hostnames inside. With an sql lite you can also use select and can reduce the resultset with filters. Any chance we can get rid of the registry within next 15 days? Sorry, I‘m in a hurry and like to switch from Thawte to letsencrypt... there are certs running out and I hate the dirty solutions :-) |
Alex, See this https://support.microsoft.com/en-us/help/174070/registry-replication-in-microsoft-cluster-server You'll need to know the registry keys to checkpoint. |
Thanks. I was not aware that registry can be replicated. Will give it a try. |
The latest release stores renewal information in the |
I'd like to move to ConfigurationPath storage of my renewal information so that I can set up redundant win-acme instances. What's the suggestion to convert? |
Good question, I'll make a Wiki page to answer that. |
Thanks for the quick fix! I just tested it and learned some strange behaviour. I configured a ConfigurationPath of Is this the correct and wished behaviour to have this extra folder? I just thought with the project rename that this shouldn't be there. This could be just documentation, but it could also be a bug? Additionally https://github.com/PKISharp/win-acme/wiki/Application-Settings yields the same questions. A word how this path need to configured if there are automatisms like this would be beneficial, too. |
I didn't have time yet to do anything with the configuration folder handling. It requires some more work than simply changing a string, because we have to take existing installations into account. The sub folder should IMO only be created under |
That is not time critical, it is just something that need to be documented or fixed or better both. Will you reopen this case or do you need a new one? |
I just migrated to using
but every time I open letsencrypt-win-simple it tells me I'm using ProgramData...
|
Issue description
I need to run your tool on a clustered file server (without IIS). IIS webservers are frontend servers to the fileserver cluster and run on different boxes. Central Certificate Store is also implemented and the .PFX files are located on a one file cluster volume. Since the CCS is located on a cluster volume these volume may get moved between the file cluster nodes (e.g. server crash or load balancing or just updates) and may get other default hosts from time to time.
Now I have seen you save data for renew in "HKEY_LOCAL_MACHINE\SOFTWARE\letsencrypt-win-simple". But these keys are machine specific and not synchronized between cluster nodes.
My first plan was to place letsencrypt.exe on these cluster volume. Than I'm able to create a clusteraware task that moves WITH the volume inside the cluster. This allows schedules tasks to move with the volume to the host where the volume will be active. A cluster aware task get's automatically disabled on the passive nodes and enabled on the active node.
Now the problem with letsencrypt.exe comes in place. It expects data in HKEY_LOCAL_MACHINE\SOFTWARE\letsencrypt-win-simple that will only exists on the node where you requested the certificates.
The only idea I have is - the registry data need to be saved locally on the cluster volume. However I have not found a configuration option to make this happen. I'm not sure how
ConfigurationPath
can solve this as it is only aboutProgramData
.Steps to reproduce
The letsencrypt.exe tools is not used for IIS configuration. This will be done with other powershell scripts.
Client version: 1.9.8.4
Windows version: Windows 2016
Relevant part of log file: None.
Open questions:
The text was updated successfully, but these errors were encountered: