Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cluster aware task and renew process #756

Closed
alexhass opened this issue Feb 20, 2018 · 12 comments
Closed

Cluster aware task and renew process #756

alexhass opened this issue Feb 20, 2018 · 12 comments
Labels
enhancement

Comments

@alexhass
Copy link

alexhass commented Feb 20, 2018
edited

Issue description

I need to run your tool on a clustered file server (without IIS). IIS webservers are frontend servers to the fileserver cluster and run on different boxes. Central Certificate Store is also implemented and the .PFX files are located on a one file cluster volume. Since the CCS is located on a cluster volume these volume may get moved between the file cluster nodes (e.g. server crash or load balancing or just updates) and may get other default hosts from time to time.

Now I have seen you save data for renew in "HKEY_LOCAL_MACHINE\SOFTWARE\letsencrypt-win-simple". But these keys are machine specific and not synchronized between cluster nodes.

My first plan was to place letsencrypt.exe on these cluster volume. Than I'm able to create a clusteraware task that moves WITH the volume inside the cluster. This allows schedules tasks to move with the volume to the host where the volume will be active. A cluster aware task get's automatically disabled on the passive nodes and enabled on the active node.

Now the problem with letsencrypt.exe comes in place. It expects data in HKEY_LOCAL_MACHINE\SOFTWARE\letsencrypt-win-simple that will only exists on the node where you requested the certificates.

The only idea I have is - the registry data need to be saved locally on the cluster volume. However I have not found a configuration option to make this happen. I'm not sure how ConfigurationPath can solve this as it is only about ProgramData.

Steps to reproduce

  1. Install on a file cluster volume
  2. Create cluster aware task
  3. Request certificates
  4. Move volume to other cluster node.
  5. Registry from node1 does not exists on node2. Scheduled task does know it need to do something when it comes to a renew.

The letsencrypt.exe tools is not used for IIS configuration. This will be done with other powershell scripts.

Client version: 1.9.8.4
Windows version: Windows 2016
Relevant part of log file: None.

Open questions:

  1. How can I move the registry data required for the scheduled task to disk location?
  2. How can I tell the scheduled task to lookup this folder/file/database and not the registry?
@WouterTinus
Copy link
Member

WouterTinus commented Feb 20, 2018
edited

The simple but honest answer is that you cannot do either of those things right now.

I can think of some workarounds, e.g. to run LEWS on a dedicated machine outside of the cluster, saving certificates to the CCS on the cluster through a network share. That creates a SPOF, though not a very critical one because renewal only needs to happen every 60 days or so.

Another option might be to configure the scheduled task in such a way that it imports a .reg file from a network share before running, and exports it to the same location after running. If that feels a bit dirty, that's because it is :).

I'll label this as a request for enhancement because there is not really a good reason why we should use the registry to store anything.

@alexhass
Copy link
Author

Thanks for your quick feedback. I already wondered why you save so many domains in registry. I think a sqllite database may be better. Using a textfile or xml file may also work, but I‘m not sure how fast it is if you have 10.000 hostnames inside. With an sql lite you can also use select and can reduce the resultset with filters.

Any chance we can get rid of the registry within next 15 days? Sorry, I‘m in a hurry and like to switch from Thawte to letsencrypt... there are certs running out and I hate the dirty solutions :-)

@ScottHuston
Copy link

Alex,

See this https://support.microsoft.com/en-us/help/174070/registry-replication-in-microsoft-cluster-server
and this https://blogs.msdn.microsoft.com/clustering/2012/05/31/how-to-configure-clustered-tasks-with-windows-server-2012/

You'll need to know the registry keys to checkpoint.

@alexhass
Copy link
Author

Thanks. I was not aware that registry can be replicated. Will give it a try.

@WouterTinus
Copy link
Member

The latest release stores renewal information in the ConfigurationPath instead of in the registry, at least for fresh installs.

@ScottHuston
Copy link

I'd like to move to ConfigurationPath storage of my renewal information so that I can set up redundant win-acme instances. What's the suggestion to convert?

@WouterTinus
Copy link
Member

Good question, I'll make a Wiki page to answer that.

@WouterTinus
Copy link
Member

See https://github.com/PKISharp/win-acme/wiki/Migration-to-v1.9.9

@alexhass
Copy link
Author

alexhass commented Feb 28, 2018
edited

Thanks for the quick fix! I just tested it and learned some strange behaviour.

I configured a ConfigurationPath of E:\win-acme\data and placed the binary files in E:\win-acme\bin. Than the path E:\win-acme\data\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org was created. I was confused why the superflous letsencrypt-win-simple directory was created. It is not a problem for me, but the documentation in the Wiki does not explain this for the migration and on the first run I just copied httpsacme-v01.api.letsencrypt.org to E:\win-acme\data\httpsacme-v01.api.letsencrypt.org.

Is this the correct and wished behaviour to have this extra folder? I just thought with the project rename that this shouldn't be there. This could be just documentation, but it could also be a bug?

Additionally https://github.com/PKISharp/win-acme/wiki/Application-Settings yields the same questions. A word how this path need to configured if there are automatisms like this would be beneficial, too.

@WouterTinus
Copy link
Member

I didn't have time yet to do anything with the configuration folder handling. It requires some more work than simply changing a string, because we have to take existing installations into account.

The sub folder should IMO only be created under %programdata%, not under a custom path. But if that's a bug it would break existing installs if we 'just' fix it. I'll look into it sometime.

@alexhass
Copy link
Author

That is not time critical, it is just something that need to be documented or fixed or better both. Will you reopen this case or do you need a new one?

@ScottHuston
Copy link

I just migrated to using

<setting `name="ConfigurationPath"` serializeAs="String">
        <value>\\RHSITES\Sites\Certificates\Win-Acme-Config\</value>
</setting>

but every time I open letsencrypt-win-simple it tells me I'm using ProgramData...

 [DBUG] Config folder: C:\ProgramData\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org

 [INFO] A Simple ACME Client for Windows (WACS)
 [INFO] Software version 1911.2.6726.40690 (RELEASE)
 [INFO] IIS version 10.0
 [INFO] ACME server https://acme-v01.api.letsencrypt.org/
 [INFO] Please report issues at https://github.com/PKISharp/win-acme

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@alexhass @ScottHuston @WouterTinus