Multiple IIS Servers

Is there a way yet to handle renewing multiple servers? We are expanding from 1 to 2 IIS servers in a farm. Should we just run the program on both using the same cert name/info? Or is there a way to push/renew together?

I saw some older topics and not sure if anything has changed.

Hi, currently there is no change but there are plans for centralised certificate (CCS) support. The trick is not in exporting to the CCS location but in getting the IIS servers to synchronise their http challenge responses to Let’s Encrypt and the subsequent binding updates for the matching sites.

Can each server run the CertifyTheWeb module and renew the same DNS name for itself?

In theory, perhaps. But it really depends on how requests reach the two servers. Is there a single IP with load balancing? Are there multiple IPs with the same DNS name?

Both sound tricky to make sure the challenges make it to the server that sent the HTTP-01 request unless they somehow share the .well-known folder. That way they both serve from that shared folder and write to that shared folder.

Expiration emails won’t work reliably unless you request two technically different certificates. For example, #1; #2 & Let’s Encrypt will see them as two different certificate timers, so you’ll get warning emails if either one fails renewal for long.

Or maybe DNS-01 challenges would provide you with different solutions?

Yes, if you use DNS challenges for authorization instead of http then it works fine for multiple servers serving the same domains/sites. You can use this option if your dns is with one of our supported providers (aws route 53 etc).

Doing multi-server http challenges is a substantial feature in it’s own right, it has been considered several times but hasn’t reached the top of the list of planned work yet.

Yes, I’m using dns-01 Challenge type. Thanks for the response. Last question here. I am as he mentioned above using a load balancer with two backend IIS servers. Will this still work or will it be a problem if connections/requests go to another backend server at some point?

Since you’re not using HTTP-01, it shouldn’t matter even if all of your servers are unreachable. The challenge doesn’t depend on a web server at this point, I believe.

You might still encounter a hidden issue if only one of the servers stops being able to renew and the certificate subjects are the same. Let’s Encrypt will sent expiration notices by certificate, not by individual server requesting the certificate. So if you go the route where each server is requesting individually, make sure that the certificates are not exactly the same. IE, the certificates must have non-identical subject alt names. Make up sub-domains for the second certificate, if you have to. If done correctly, you should receive emails from Let’s Encrypt if any server is about to expire.

I had this issue last year and got it working as described here - Using Certify the web on more than one server