Using Certify the web on more than one server


#1

Hi

I’m new to the Certify web app and was wanting to know whether it was possible to use it to generate and renew certificates supporting the same domains on multiple servers (2-4 servers) (One certify the web app running on each server.)

or whether I should be looking at using a central certificate store (CCS) and running some custom scripts/ actions to add the generated/renewed certificates to the central certificate store and get IIS on each server to point to the CCS and setup/renew site bindings for certificate accordingly.

Could you confirm the best way in which the Certify web app could be used to solve this issue.

Thanks


#2

Hi,
The app doesn’t currently have native CCS support but it is planned for the future. You could theoretically use a script of your own (a post-request powershell script) to deploy the certificate to your CCS store with the correct naming but I’m not sure if anyone is currently doing it that way.

The potentially larger issue is shared validation, if you are using http validation (where a challenge response file is created in the website) as this needs to be included in the response of all webservers unless you can direct all /.well-known/acme-challenge requests to a single server.


#3

@smithr18 well it looks like you’re not alone! SNI on a pool of webservers


#4

I’ve managed to get this working (at least initially) by creating a Network Share to contain the “.well-known” directory, and then configuring that as a virtual directory under each of the IIS sites, on each of the servers that need access to it. You also need to use the share when configuring “Certify the Web”, in the “Website Root Directory” field.

This config meant that whichever server Certify the Web was running on, it would put the verification file in a single, shared location, and then whichever server Let’s Encrypt hits over HTTP, that will also hit the same single, shared location. A big pain that we had to do this, but glad to get it working. I wasn’t able to use the DNS verification approach as each server needed it’s own unique TXT file configuring, with the same name but different value. Using that approach we would need to modify the TXT file every time each server tried to renew their certificate. That was obviously not a good option for an automated renewal process.

Hopefully the app will handle all of this natively in the future.

Thanks.