Using Certify the web on more than one server

Hi

I’m new to the Certify web app and was wanting to know whether it was possible to use it to generate and renew certificates supporting the same domains on multiple servers (2-4 servers) (One certify the web app running on each server.)

or whether I should be looking at using a central certificate store (CCS) and running some custom scripts/ actions to add the generated/renewed certificates to the central certificate store and get IIS on each server to point to the CCS and setup/renew site bindings for certificate accordingly.

Could you confirm the best way in which the Certify web app could be used to solve this issue.

Thanks

Hi,
The app doesn’t currently have native CCS support but it is planned for the future. You could theoretically use a script of your own (a post-request powershell script) to deploy the certificate to your CCS store with the correct naming but I’m not sure if anyone is currently doing it that way.

The potentially larger issue is shared validation, if you are using http validation (where a challenge response file is created in the website) as this needs to be included in the response of all webservers unless you can direct all /.well-known/acme-challenge requests to a single server.

@smithr18 well it looks like you’re not alone! SNI on a pool of webservers

I’ve managed to get this working (at least initially) by creating a Network Share to contain the “.well-known” directory, and then configuring that as a virtual directory under each of the IIS sites, on each of the servers that need access to it. You also need to use the share when configuring “Certify the Web”, in the “Website Root Directory” field.

This config meant that whichever server Certify the Web was running on, it would put the verification file in a single, shared location, and then whichever server Let’s Encrypt hits over HTTP, that will also hit the same single, shared location. A big pain that we had to do this, but glad to get it working. I wasn’t able to use the DNS verification approach as each server needed it’s own unique TXT file configuring, with the same name but different value. Using that approach we would need to modify the TXT file every time each server tried to renew their certificate. That was obviously not a good option for an automated renewal process.

Hopefully the app will handle all of this natively in the future.

Thanks.

@j.strugnell Hello , I am trying to implement this for 2 load balanced servers that I have using HTTP verification. Could you please explain me the steps on how you got this working ?
Appreciate your help regarding this.

Hi, it’s been a while ;0) I have pretty much outlined the steps above?

Do you know how to give the CertifyTheWeb executable/process the access to write to the network share ?

I think it’s untested to change Certify’s service’s account.

If you’re using a collection of AD linked computers, the Certify service that runs as SYSTEM will access network objects using the machine account in AD. So if you connect from system1 to system2, \\system2\sharename will need to give permission to system1$, which is the machine account.

1 Like

Depending on what you’re trying to do you may also be able to impersonate another account, so if you’re scripting in powershell you can invoke your commands as another user by providing the credentials. Future versions of the app will allow user impersonation with credential storage.

For reference by others - the below may not be the ideal way to get this working, but it helped us:

  • the IIS virtual directory’s “physical path” needs to point to the .well-known directory inside the share, but inside CertifyTheWeb the Website Root needs to point to the root of the share (parent directory of .well-known)
  • The virtual directory’s Handler Mappings need to place the StaticFile mapping at the top (in the ordered list)
  • The virtual directory’s MIME Types need to include an entry for Extension . (a bare period) and MIME Type text/html
1 Like