SNI on a pool of webservers


#1

So we are a hosting provider looking to provide lowcost/free SSL for our customers.
Our web servers host sites for our customers, you can get to any site from any of the web servers, load balanced etc.

How would I implement this? or is it even possible


#2

It certainly possible but it does have several challenges.

If you use http validation then all the servers that could respond for a particular domain have to either share the same filesystem (so the challenge file can be served up to Let’s Encrypt for validation) or you need to send all requests to /.well-known/acme-challenge to one server only.

If you use DNS validation (whereby you use DNS apis to create a TXT record with the challenge answer) then any machine can do the validation and certificate request (even a desktop).

In either case, Certificate deployment would require custom scripting (a post-request script) to copy (and name) the pfx where you need it, usually a Central Certificate Store like a UNC path. Alternatively you would custom script binding updates per server/site yourself.

We don’t currently provide any specialised functionality for load balanced sites but it may well be a feature eventually, some thought has gone into centrally orchestrating validation and deployment but only a little so far.


#3

Would it be a worthwhile addition as part of the deployment options to have a way to automatically export (and possibly name?) the PFX with a specific password. This could streamline the process of using a centralised certificate store. I know it’s possible with post-scripts, but it would make sense to have the option natively if it’s not too difficult to implement (which obviously, would be up to the team!)


#4

Yes, Central Certificate Store support is a feature which we will eventually have (it affects naming of the exported files as well as attributes of the bindings we update/add) , it just needs to be implemented.


#5

I’ve been working through this recently, here’s a cert export powershell script I wrote which works for me. This is to export all certs in the store to pfx with the appropriate name required by IIS centralised certificate management.

You will need to set your own output folder and export secret passphase.

edit: if you have more than one common name in a cert, a separate pfx is required for each. You’ll need to configure certify and/or the script to deal with that.

edit 2: formatting


dir cert:\localmachine\my | 
Where-Object { $_.hasPrivateKey -and $_.PrivateKey.CspKeyContainerInfo.Exportable } | 
	Foreach-Object { 
		$filename = "$($_.Subject).pfx"
		$filename = $filename -replace "CN=", ""
		[system.IO.file]::WriteAllBytes(
			"w:\IIS-Shared\$filename", 
			($_.Export('PFX', 'secret')) 
		) 		
	}

Using Certify the web on more than one server
#6

@mikewells awesome, looks like a very efficient solution. We will eventually have native CCS support but scripting is the best way currently.