<![CDATA[HA sync overwrites certificates on backup router even if unchecked]]>I set up ACME/LE certs on our two data center routers yesterday. Twice since then I have noticed the cert is missing on the backup router, even though I disabled sync of certificates:
0be69b2e-b131-4495-8378-b1f885b8ec5e-image.png

I'm assuming that is not expected? The backup router web server is left running with a live cert, but the web server cert dropdown is set to "IKEv2 server," the first cert it has in its list. So presumably would break upon restart. The CAs are overwritten and the router1 cert is on router2 as well so they all sync'd.

If expected, what is the solution, to use a wildcard cert? That's what we previously had, so had been syncing certs on purpose.

These routers are still on 25.07, though I don't see anything in later release notes about this.

]]>https://forum.netgate.com/topic/200255/ha-sync-overwrites-certificates-on-backup-router-even-if-uncheckedRSS for NodeSat, 13 Jun 2026 06:44:27 GMTFri, 27 Feb 2026 17:36:44 GMT60<![CDATA[Reply to HA sync overwrites certificates on backup router even if unchecked on Fri, 05 Jun 2026 21:04:37 GMT]]>@Derelict I realized today that although the LE cert syncs to the secondary just fine, it doesn't restart nginx which continues using the expired cert.

On the primary router the Post-Renew Actions is run to do that. That doesn't exist on the secondary because the cert doesn't exist on the secondary.

Is there a proper solution other than restarting the secondary webGUI via cron or something?

]]>https://forum.netgate.com/post/1243733https://forum.netgate.com/post/1243733Fri, 05 Jun 2026 21:04:37 GMT<![CDATA[Reply to HA sync overwrites certificates on backup router even if unchecked on Sat, 28 Feb 2026 02:14:06 GMT]]>@Derelict Yeah, that’d be the other option and basically what we did with the wildcard cert. Might be cleaner to let the certs sync. It just surprised me to carefully test it all on r2, set up one cert on r1, and everything disappeared on r2.

We were using the wildcard in a lot of places but are looking to avoid replacing that many cert locations every 47 days going forward… :(

]]>https://forum.netgate.com/post/1238821https://forum.netgate.com/post/1238821Sat, 28 Feb 2026 02:14:06 GMT<![CDATA[Reply to HA sync overwrites certificates on backup router even if unchecked on Fri, 27 Feb 2026 22:46:06 GMT]]>@SteveITS I use acme to obtain a certificate with three hostnames, fw-xyz.domain.com (CARP VIP), fw-a-xyz.domain.com (Primary), and fw-b-xyz.domain.com (Secondary). This runs on the primary and syncs to the secondary. Works great.

]]>https://forum.netgate.com/post/1238810https://forum.netgate.com/post/1238810Fri, 27 Feb 2026 22:46:06 GMT<![CDATA[Reply to HA sync overwrites certificates on backup router even if unchecked on Fri, 27 Feb 2026 19:26:43 GMT]]>If I read a bit further in the list I get to "OpenVPN configuration (Implies CA/Cert/CRL Sync)". We don't use that anymore so I suppose can uncheck that. 🤕

]]>https://forum.netgate.com/post/1238805https://forum.netgate.com/post/1238805Fri, 27 Feb 2026 19:26:43 GMT