Hi Diego
Thanks a lot for your answer. I was thinking that ssl certificate was
linked to the physical server (with serial number, conf or other), and
couldn't be shared between real servers so easily. If you say me that
you did it for apache-ssl, so that's not the case !
Thanks again
Ben
Diego Julian Remolina a écrit :
This is pretty straight forward. You create the certificate for the
virtual hostname, not your primary and secondary nodes, then you can
either put it on both servers on /etc/ssl or on the drbd partition, this
is just a matter of preference.
You need DNS entries as follows (this is an example, you will use your
real IP addresses):
node1.example.com 192.168.1.11
node2.example.com 192.168.1.12
www.example.com 192.168.1.10 (This is the shared IP which the nodes can
take over and which will be published on DNS for your website)
You create your SSL certificates for www.example.com, not for
node1.example.com nor node2.example.com.
Next, you put it in your drbd partition and then create an ssl
configuration for apache that points to the appropriate location for the
ssl file.
That way, whichever node is up, node1 or node2, will read the SSL
certificate for www.example.com from the same place and it will work
just fine.
In my case, I have the drbd partition mounted on /web on my web server.
I then have all the apache configuration files under /web/etc/httpd and
basically whichever host takes over the virtual IP (active/passive
configuration), will be able to read the configurations, certificates
and web server files.
For ldap, it is the same thing, except your hostname to virtual ip
mapping is:
ldap.example.com points to the virtual IP of your choosing. Then all
your ldap clients use ldap.example.conf in their ldap configuration.
HTH,
Diego
Benjamin Watine wrote:
Hi
I'm using heartbeat and drbd for openLDAP, and I would like to use TLS
on it. So I have to create cretificate and key files. But I would like
to have the same certificate on both node that run openLDAP.
Is there is a known way to do that ? Can I put certificate in drbd
volume and share it accross the 2 openLDAP servers ?
I think the problem is the same for apache-ssl, maybe there a good
known solution.
Regards
Benjamin
_______________________________________________
Linux-HA mailing list
[email protected]
http://lists.linux-ha.org/mailman/listinfo/linux-ha
See also: http://linux-ha.org/ReportingProblems
_______________________________________________
Linux-HA mailing list
[email protected]
http://lists.linux-ha.org/mailman/listinfo/linux-ha
See also: http://linux-ha.org/ReportingProblems
_______________________________________________
Linux-HA mailing list
[email protected]
http://lists.linux-ha.org/mailman/listinfo/linux-ha
See also: http://linux-ha.org/ReportingProblems
