| ▲ | trothamel 4 days ago | |||||||||||||
Question: Does anyone have a good solution for renewing letsencrypt certificates for websites hosted on multiple servers? Right now, I have one master server that the others forward the well-known requests too, and then I copy the certificate over when I'm done, but I'm wondering if there's a better way. | ||||||||||||||
| ▲ | nullwarp 4 days ago | parent | next [-] | |||||||||||||
I use DNS verification for this then the server doesn't even need to be exposed to the internet. | ||||||||||||||
| ||||||||||||||
| ▲ | hangonhn 4 days ago | parent | prev | next [-] | |||||||||||||
We just use certbot on each server. Are you worried about the rate limit? LE rate limits based on the list of domains. So we send the request for the shared domain and the domain for each server instance. That makes each renew request unique per server for the purpose of the rate limit. | ||||||||||||||
| ▲ | noinsight 4 days ago | parent | prev | next [-] | |||||||||||||
Orchestrate the renewal with Ansible - renew on the "master" server remotely but pull the new key material to your orchestrator and then push them to your server fleet. That's what I do. It's not "clean" or "ideal" to my tastes, but it works. It also occurred to me that there's nothing(?) preventing you from concurrently having n valid certificates for a particular hostname, so you could just enroll distinct certificates for each host. Provided the validation could be handled somehow. The other option would maybe be doing DNS-based validation from a single orchestrator and then pushing that result onto the entire fleet. | ||||||||||||||
| ▲ | pornel 3 days ago | parent | prev | next [-] | |||||||||||||
I copy the same certbot account settings and private key to all servers and they obtain the certs themselves. It is a bit funny that LetsEncrypt has non-expiring private keys for their accounts. | ||||||||||||||
| ▲ | bayindirh 4 days ago | parent | prev | next [-] | |||||||||||||
There's a tool called "lsyncd" which watches for a file and syncs the changed file to other servers "within seconds". I use this to sync users between small, experimental cluster nodes. Some notes I have taken: https://notes.bayindirh.io/notes/System+Administration/Synci... | ||||||||||||||
| ▲ | navigate8310 4 days ago | parent | prev | next [-] | |||||||||||||
Have you tried certbot? Or if you want a turnkey solution, you may try Caddy or Traefik that have their own automated certificate generation utility. | ||||||||||||||
| ▲ | throw0101b 4 days ago | parent | prev | next [-] | |||||||||||||
getssl was written with a bit of a focus on this: > Get certificates for remote servers - The tokens used to provide validation of domain ownership, and the certificates themselves can be automatically copied to remote servers (via ssh, sftp or ftp for tokens). The script doesn't need to run on the server itself. This can be useful if you don't have access to run such scripts on the server itself, e.g. if it's a shared server. | ||||||||||||||
| ▲ | 4 days ago | parent | prev | next [-] | |||||||||||||
| [deleted] | ||||||||||||||
| ▲ | dboreham 4 days ago | parent | prev [-] | |||||||||||||
DNS verification. | ||||||||||||||