3

Is there a way to use certbot and letsencrypt certificate for multiserver setup without having to manually copy the certificates from one node to another?

I have a domain name example.com which is resolved to 192.0.2.1 in Americas and to 192.0.2.2 in Asia.

I run certbot from American server and it successfully generates certificate. I can't run the same command from Asian server, as certbot will be able to resolve domain only to 192.0.2.1.

Therefore in order to install certificate for Asian server I have to copy it from 192.0.2.1 to 192.0.2.2.

Yes, the copy process can be scripted, though it doesn't look like a good idea for me. Is there other way around?

Patrick Mevzek
  • 3,130
  • 2
  • 20
  • 30
rush
  • 27,055
  • 7
  • 87
  • 112

2 Answers2

1

In the end I used solution described here.

In a couple of words:

  1. Use a single node for certificate generation
  2. Use nginx proxy to forward /.well-known/ from all frontends to the node from step 1
  3. Copy with scripts certificates to all frontend servers
rush
  • 27,055
  • 7
  • 87
  • 112
0

The problem is that you can't know where the verification will run from.

You have a two general solutions:

  1. copy the cert+key between the servers.
  2. temporarily have your domain resolve to exactly one place, issue a cert there, then make it resolve to the other location and issue a cert there, lastly flip back to your split horizon. You'll have to repeat this when you want to renew the certificate as well.

Solution 2 is far worse practice than copying your cert+key.

Consider how you would have solved this prior to LetsEncrypt:

  • generate a key & CSR somewhere (admin workstation or a server)
  • submit CSR to CA
  • get cert back from CA
  • push key & cert to both servers.

From that perspective, pushing the key/cert from one server to the other isn't that bad.

This was also covered previously: https://community.letsencrypt.org/t/will-lets-encrypt-work-for-me-multiple-servers-serving-one-domain/6830/7

robbat2
  • 3,599
  • 20
  • 32