Giter VIP home page Giter VIP logo

Comments (3)

RyanHoldren avatar RyanHoldren commented on May 23, 2024

Perhaps the certificates⁠—and private keys, for that matter⁠—could be stored in AWS Systems Manager Parameter Store or whatever the equivalent service is for Azure/Google Cloud.

from micronaut-acme.

alvarosanchez avatar alvarosanchez commented on May 23, 2024

Please post questions in StackOverflow.

You can also try with asking in Gitter.

from micronaut-acme.

zendern avatar zendern commented on May 23, 2024

@RyanHoldren I missed this originally sorry about that..... the way it works right now is each server would end up requesting a new certificate which should work with in theory with no issues. Assuming you are using Lets Encrypt you can see previous responses here about doing so but main issues with this approach are 2 things. 1. would be rate limiting and 2. would be the authorizations process. (https://community.letsencrypt.org/t/aws-distributing-current-certbot-certificates-amongst-server-which-are-spun-up-with-autoscale/35739/2). So in theory you could randomize the acme.renew-within property to have them renew on different intervals to skirt the ratelimiting if you have that many servers.

But to the issue of the authorization step that would have issues if you selected http/tls since those would need to get directed to whichever server actually made the call since there is a token involved at the time of order. There is a chance it could work but unlikely due to you more than likely having a load balancer in place.

That leaves you with DNS being you only option but ATM DNS option requires manual intervention until #3 #4 #5 (or whatever DNS provider you are using that might have an API) are done and it just happens automatically.

And maybe there are other routing options or fanciness you could do to get the authorizations to work out.... id be curious to hear more about how you have certbot running on multiple servers requesting renewals or maybe you dont and you just have a "master certbot server" that does all the magic and then NFS to share the cert.

Also as far as storing the certificate in AWS Systems Manager Parameter Store or whatever the equivalent service is for Azure/Google Cloud. Not sure it solves the issue. The biggest hangup i think is the authorization process. But maybe again you just have 1 node do it, share to a storage provider and then all the other nodes check for changes on an interval. ¯_(ツ)_/¯ #spitballin. But now you're down to 1 node and no redundancy.

from micronaut-acme.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.