letsencrypt-siteextension icon indicating copy to clipboard operation
letsencrypt-siteextension copied to clipboard

Published 20 hours ago verified publisher icon sjkp

Shared cert between Multiple instances

Open TWith2Sugars opened this issue 9 years ago • 7 comments

If I had two instances of a site, one in the US and one in the EU then this extension would have to do multiple renewals. If I had enough instances this could go over the lets encrypt api limit.

It would be very useful to have the cert in blob and the webjobs to check there for a new cert.

TWith2Sugars avatar Jan 28 '16 10:01 TWith2Sugars

That is a fair request - I would probably go with keyvault in that case. Don't expect me to get around to it within the next couple of weeks though.

sjkp avatar Jan 28 '16 10:01 sjkp

KeyVault is a reasonable alternative.

Also thinking, if we had multiple instances with multiple installations then all webjobs will attempt to renew the cert at the same time.

Might be worth adding a setting to prevent them from attempting to renew.

TWith2Sugars avatar Jan 28 '16 11:01 TWith2Sugars

@TWith2Sugars thanks for the concern, that shouldn't be an issue however, as the timeredtrigged that is used, already takes care of only running one job at any time (i think it uses azure blob storage for locking) https://github.com/Azure/azure-webjobs-sdk-extensions#timertrigger

sjkp avatar Jan 28 '16 14:01 sjkp

Even better :)

I have found 1 odd edge case with regards to traffic managed sites.

In my above example the EU server made a request for a cert but the US instance was challenged.

How would we get round this?

TWith2Sugars avatar Jan 28 '16 15:01 TWith2Sugars

Hmm - I should probably ensure that the challenge files are places on all web frontends. But good point., i just tested on a single instance.

sjkp avatar Jan 28 '16 18:01 sjkp

I have tagged this with wontfix for now. Because when using traffic manager it gets complicated to ensure the acme-challenge files is placed on all web frontends. In that type of setup it would probably be better with a solution that would use the DNS challenge instead of the http challenge. Unfortunately I can't think of an easy way to build the DNS challenge into the extension (it is at a minimum going to involve some manual DNS configuration). Right now that scenario is probably only for the most advanced use cases, and in many of those I would be reluctant to use Lets Encrypts certificates in the first place, as solutions that require a global footprint probably are of such high importance that they should just spend the money on a real certificate and use a Microsoft supported way of enabling SSL.

sjkp avatar Mar 24 '16 15:03 sjkp

Old thread, but is this still the case? Similar situation here but DNS is unfortunately not an option.

JamesHealey94 avatar Jan 16 '20 13:01 JamesHealey94