On 05-19-2021 6:48 pm, Viktor Dukhovni wrote:
2. This (same) certificate chain and associated private key is
deployed
on all the backend servers that sit behind the load-balancer.
Certificate renewal should happen on (one or all) the backend servers.
If more than one, space out the cron job times far apart, so that
no two are doing it at the same time. When any one succeeds in
obtaining a new cert, promptly rsync it to the others.
This is where im getting confused.
Before you said make a cert for the load balancer where clients connect,
and deploy it on the backend servers.
Now you are saying each backend server should renew their cert.
What cert? They have been given a cert created by the load balancer
meaning only the balancer can renew that cert.