Install uCARP on Debian 12

Download the ucarp package first:

apt install ucarp

Configure the interface in /etc/network/interfaces on your PRIMARY server:

iface eth0 inet static
    address 10.1.1.4/24
    gateway 10.1.1.1
    # dns-* options are implemented by the resolvconf package, if installed
    dns-nameservers 1.1.1.1 9.9.9.9
    dns-search domain

iface eth0:ucarp inet static
    address 10.1.1.30
    netmask 255.255.255.0

now do the same thing on your SECONDARY server:

iface eth0 inet static
     address 10.1.1.5/24
     gateway 10.1.1.1
     # dns-* options are implemented by the resolvconf package, if installed
     dns-nameservers 1.1.1.1 9.9.9.9
     dns-search domain

iface eth0:ucarp inet static
     address 10.1.1.30
     netmask 255.255.255.0

you can check on your primary if carp is working with

$ ifup eth0:ucarp

if this is fine we have to create a config file and the systemd startup unit as the package comes without such a unit file.

First create /etc/ucarp/vip-common.conf on both servers and paste the following. This is for the primary so you have to adapt it to fit the secondary, notably SOURCE_ADDRESS and ADVSKEW. Set the ADVSKEW higher on the secondary, e.g. ADVSKEW=”100″:

BIND_INTERFACE="eth0"
PASSWORD="mysimplepass"
VIP_ADDRESS="10.1.1.30"
SOURCE_ADDRESS="10.1.1.4"
VHID="1"
ADVBASE="1"
ADVSKEW="10"
OPTIONS="-P -z"
UPSCRIPT="/usr/share/ucarp/vip-up"
DOWNSCRIPT="/usr/share/ucarp/vip-down"

Then create the systemd unit file /etc/systemd/system/ucarp.service

[Unit]
Description=UCARP virtual interface %I
After=network.target

[Service]
EnvironmentFile=-/etc/ucarp/vip-common.conf
ExecStart=/usr/sbin/ucarp $OPTIONS -i $BIND_INTERFACE -p $PASSWORD -v $VHID -a $VIP_ADDRESS -s $SOURCE_ADDRESS -b $ADVBASE -k $ADVSKEW -u $UPSCRIPT -d $DOWNSCRIPT
KillMode=control-group

[Install]
WantedBy=multi-user.target

Last but not least start it

$ systemctl enable --now ucarp

https://ucarp.wordpress.com

Convert a pfx certificate to crt and key files

Extract the key and decrypt it:

openssl pkcs12 -in cert.pfx -nocerts -out cert-encrypted.key
openssl rsa -in cert-encrypted.key -out cert.key

extract the certificate:

openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.crt

extract the bundle:

openssl pkcs12 -in cert.pfx -nokeys -nodes -cacerts -out ca-bundle.crt