On Thu, May 20, 2021 at 01:10:51AM +0300, IL Ka wrote:
> > 2. This (same) certificate chain and associated private key is
> > deployed
> > on all the backend servers that sit behind the load-balancer.
> >
> > I wrote that CNAME doesn't work with several backends.
> I now see it works if all backends share the same key and cert. Sounds good)
They don't even need to have the same key and cert, so long
as they each have some key and a matching cert for that key
that has the right DNS subject (alt) name.
In particular, during cert renewal, some servers may briefly
present an older instance of the certificate, and some the
newer, and this is fine, so long as the older has not yet
expired. The validity intervals generally overlap.
server1.example.com: key10 + cert10 matching <name>
server2.example.com: key11 + cert11 matching <name>
server3.example.com: key10 + cert10 matching <name>
server4.example.com: key10 + cert10 matching <name>
server5.example.com: key11 + cert11 matching <name>
...
Of course this should only be a transient condition, with *eventual
consistency* ensured via suitable automation.
--
Viktor.
