Want to subscribe to topics you're interested in?
Become a Member

DNS Route 53 DNS Failover with LetsEncrypt

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Colin, Mar 16, 2017.

  1. Colin

    Colin Premium Member Premium Member

    108
    32
    28
    Oct 7, 2015
    Sheffield UK
    Ratings:
    +80
    Local Time:
    11:43 AM
    1.11.#
    MariaDB 10.1.#
    In the process of rolling a new community and I thought I'd take the chance to learn and make a better do of it.

    Based on @eva2000 fremont thread https://community.centminmod.com/threads/linode-fremont-datacenter-outage.3080/ I figured I'd read up on route 53 and failover. I intrinsically followed the docs and this article:
    Create a Backup Website Using Route 53 DNS Failover and S3 Website Hosting | AWS Blog
    I also threw in https, both servers; primary and secondary are running centmin beta with acme for lets encrypt. So the primary is set as www.domain.com and the fail is setup as fail.domain.com << key issue

    Thus instead of S3 for a static fail host, I've opted for a vultr 512 sandbox.

    So my actors:
    domain.com -> alias to s3 static bucket which is a redirect to www.domain.com
    www.domain.com -> a ptr to primary IP
    fail.domain.com -> a ptr to backup IP

    The scenario is primary goes down, within a few minutes I'd like the secondary 'fail' to hold visitors hands.

    I've got a health check on the primary for https -> Domain Name Registration and Web Hosting | Domain.com, that is associated in the zones.
    I've got a www.domain.com A -> alias pointing to fail.domain.com

    Now, this works, except it doesn't. The alias means the backup is trying to serve up fail.domain.com as www.domain.com, QED a certificate error.

    TBH I'm pretty mashed, coming on 23hours awake today. The query then is, and in part to start a series of conversations, ideal blank sheet stuff.

    a. What did I miss?
    b. I'm guessing this just isn't going to work on letsencrypt.

    No rush I think I'm going to watch the dawn then curl up and hibernate. Cheers.
     
  2. Colin

    Colin Premium Member Premium Member

    108
    32
    28
    Oct 7, 2015
    Sheffield UK
    Ratings:
    +80
    Local Time:
    11:43 AM
    1.11.#
    MariaDB 10.1.#
    So intrepid readers, I woke up and had the face palm and a bit of keyboard face.

    I asked, what if I was doing this before letsencrypt? I'd of couse have the certificates on both servers.

    So, how to do this with LE? Rsync from the primary to the backup is a logical 1st step. There might be edge cases through a period of long downtime where the cert expires though. I think for the edge case that is, it would be the least of my concerns.

    In a forum post about caddy, I stumbled on how they might be solving it; I'm not planning on using caddy, but it is interesting : https://forum.caddyserver.com/t/clustering-caddy/1571

    So with a copy of the certs from primary on the fail host, all working fine, not to automate it all.

    They say tiredness is more dangerous than alcohol... I'd agree.
     
  3. eva2000

    eva2000 Administrator Staff Member

    29,057
    6,594
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,790
    Local Time:
    8:43 PM
    Nginx 1.13.x
    MariaDB 5.5
    • Informative Informative x 1
  4. Colin

    Colin Premium Member Premium Member

    108
    32
    28
    Oct 7, 2015
    Sheffield UK
    Ratings:
    +80
    Local Time:
    11:43 AM
    1.11.#
    MariaDB 10.1.#
    Another hidden gem. :D I'll give that a crack this evening.

    Somehow I've gotten into playing with gitlab doing static site CI pushes to keycdn. Since they popped the price up a bit this year, seems I'd better use them a bit more. Although ironically, following that, for the www landing static pages, it negates the need for a failover :)