Load balancing

Some pointers on simple-acme and load balancing.

Sharing certificates between servers

It really depends if you’re using a separate appliance to offload HTTPS or if it’s handled by the servers in the pool themselves. In the latter case you should probably use the Central Certificate Store feature of IIS. Instructions on how to configure simple-acme to use it can be found here.

Scheduled task

  • You can have a single server act as a renewal server running simple-acme. That means it’s a single point of failure, but only a minor one, because certificates only need to be renewed once every three months.
  • To distribute the task of renewing, you should point the ConfigurationPath in the settings.json of simple-acme to somewhere on your SAN, so that any member of the pool can potentially renew the certificates.
  • You can configure the Scheduled Task on different machines at different times, e.g. one at 4:00 am, the next at 5:00 am, etc. Then you can be sure that they will not run at the same time and the first one that succeeds handles everything.
  • If you’re building an actual cluster, you can use a Clustered Task instead of a regular Scheduled Task.

Encryption

The encryption for the config files will have to be disabled via settings.json so that all machines in the cluster can read the passwords.

Appliance

If you are using an appliance then you have to use their API and call into that from an installation script.

Looking for win-acme?

simple-acme is a backwards compatible, drop-in replacement built by the same person. Project history.