Case of load balanced IIS server farm with DFS


#1

Hi there,

I have a load balancer with 3 IIS servers both using DFS for keeping their local filesystem synchronized.

Let’s say server 1 has Certify and manages the certs. When the http challenge is performed, the /.well-known/acme-challenge/ http request may income on server 2 or 3, in this case, it seems DFS has not propagated the challenge file yet, resulting in a failure.

I’ve noticed that creating an properly named empty file in /.well-known/acme-challenge/ after the failure occurs makes the second challenge successful… Not fairly easy…

So my question is : Is there a way to prevent the clean-up of the acme-challenge file (or clean-up after a certain amount of time…) ? Or to delay the challenge request (30 seonds should be enough…) ?

Thanks for your answers,

Grégoire


#2

Hi Greg,

Currently there isn’t an option to wait for challenge file propagation (but DNS does uses pauses to allow for DNS challenge propagation).

In your case I’d suggest DNS validation (using v4 of the app) is probably going to be easier, as any server (or even your desktop machine) can perform the renewal, then it’s a case of distributing your certificate as required once it’s renewed (we don’t support Central Cert Store directly yet but it’s likely in the near future and achievable with custom post-request scripting).


#3

Ok I’ll try the v4, I guess it’s backward compatible with my 3.0.11. Thanks for your advice.
However, as far as I’m not able to modify zone files (because DNS is managed by a “closed” registrar), I won’t be using DNS challenges.

Forcing routing to the certify server upon request matching “/.well-known/acme-challenge/”, should solve my issue… (I’m thinking out loud…)

By the way could you point me to a post-request ps script that would rename the issued cert and perform it’s registration in the store ?

Thanks in advance if possible.

Greg.


#4

Hi Greg,

Sorry I don’t currently have an example script for copying to the Central Certificate Store. The trick is that the pfx file would likely need to be copied once for each domain included in the cert as IIS will match on the request domain name.