This is pretty straight forward. You create the certificate for the virtual hostname, not your
primary and secondary nodes, then you can either put it on both servers on /etc/ssl or on the drbd
partition, this is just a matter of preference.
You need DNS entries as follows (this is an example, you will use your real IP
addresses):
node1.example.com 192.168.1.11
node2.example.com 192.168.1.12
www.example.com 192.168.1.10 (This is the shared IP which the nodes can take over and which will be
published on DNS for your website)
You create your SSL certificates for www.example.com, not for node1.example.com
nor node2.example.com.
Next, you put it in your drbd partition and then create an ssl configuration for apache that points
to the appropriate location for the ssl file.
That way, whichever node is up, node1 or node2, will read the SSL certificate for www.example.com
from the same place and it will work just fine.
In my case, I have the drbd partition mounted on /web on my web server. I then have all the apache
configuration files under /web/etc/httpd and basically whichever host takes over the virtual IP
(active/passive configuration), will be able to read the configurations, certificates and web server
files.
For ldap, it is the same thing, except your hostname to virtual ip mapping is:
ldap.example.com points to the virtual IP of your choosing. Then all your ldap clients use
ldap.example.conf in their ldap configuration.
HTH,
Diego
Benjamin Watine wrote:
Hi
I'm using heartbeat and drbd for openLDAP, and I would like to use TLS
on it. So I have to create cretificate and key files. But I would like
to have the same certificate on both node that run openLDAP.
Is there is a known way to do that ? Can I put certificate in drbd
volume and share it accross the 2 openLDAP servers ?
I think the problem is the same for apache-ssl, maybe there a good known
solution.
Regards
Benjamin
_______________________________________________
Linux-HA mailing list
[email protected]
http://lists.linux-ha.org/mailman/listinfo/linux-ha
See also: http://linux-ha.org/ReportingProblems
_______________________________________________
Linux-HA mailing list
[email protected]
http://lists.linux-ha.org/mailman/listinfo/linux-ha
See also: http://linux-ha.org/ReportingProblems
