1 domain, 3 servers and 1 cert

Hi

This is my first post here. Please tell me if I have posted this question at the wrong place.

I have 1 domain, 3 servers (ubuntu 14.04, apache) on different geographical locations. I also have a dynamic DNS (DNS made easy). Most of the time server 1 is up and running my website. When server 1 goes down my dynamic DNS redirect the domain to server 2. If server 2 is down it redirects the domain to server 3. Everything works perfect.

I just installed a letsencrypt cert on server 1. My question is:

1 - How do I install a cert on server 2 and 3? I do not want a load balancer.

2 - How do I renew the cert on server 2 and 3?

3 - Is it possible to install a cert on server 2 and 3 exactly as I did on server 1 if I first tell the DNS to point to that server? I wonder because as far as I know you can not install a cert on a ip number, must be a domain.

4 - I want to renew the cert automatically on server 2 and 3 if possible so I don't have to touch the servers. (server 1 is a cron job done when installing the cert).

As I see it there are 2 options.
1 - Install same cert on all servers.
2 - Some kind of cron/rsync to copy cert files to server 2 and 3.

Maybe I am wrong but this is all I know about this subject.

2 Likes

Welcome to the Let's Encrypt Community :slightly_smiling_face:

The answers to most of your questions depend upon whether you want to use one to three dns-01 challenges (that can be satisfied from any of your servers or even a different system entirely) or one to three http-01 challenges (that would need to be satisfied on your servers). You could honestly probably benefit greatly from using caddy as your webserver rather than apache or nginx as it would handle basically everything cert-related for you dynamically as needed.

If you're using http-01 challenges, I'll let you in on a trick that would work wonders in your situation. If you install the same ACME account credentials on all three servers, you can acquire/renew the certificate on the first server. Once you do, the authenticated challenge(s) will be cached against your account for four weeks. When you go to acquire a certificate on the second and third servers, no challenge files will need to be verified on those servers and thus it won't matter if your domain name is even pointing to those servers. As long as the second and third servers can run your ACME client (e.g. certbot), they can automatically acquire a certificate. This could even happen through a cron job on the second and third servers for renewal, as long as the renewal succeeds on the first server before any attempts are made to renew on the second and third servers. This would involve coordinating your cron jobs very carefully.

Another note: Don't attempt this strategy with more than five servers. You'll almost certainly hit the duplicate certificate rate limit.

3 Likes

While I agree that getting a separate certificate for all three servers is probably the most easy solution, I'd like to notice that securely distributing the certificate from server 1 to server 2 and 3 is also perhaps elegant. This of course would only be possible if you're OK with a single private key on all three servers. I.e., if one of the servers gets hacked, the private key would be compromised on the other 2 servers too.

1 Like

I now have 3 servers with the same cert. It works perfectly. I wonder what happens if the cert on server 1 is renewed, but not the certs on server 2 and 3. Are the certs on server 2 and 3 still ok to be used until expired or will they get revoked when the cert on server 1 is renewed?

I'm going to copy the new cert from server 1 to server 2 and 3 (with a cronjob once a week) when it's renewed. Will this work as described above?

2 Likes

They'll be fine, there is no revoking happening at renewal.

Make sure you'll also have a mechanism to reload your webservers at server 2 and 3 after distribution of new certificates. Without a reload, the webservers won't pick up the new cert.

1 Like

For those looking at multi server installs of certs, see also Hashicorp Vault (and other secrets managers).

One strategy for cert distribution is to publish your cert to a vault/key store then allow the servers that need it to download (and apply) the latest cert regularly. While this requires more customisation than certbot etc it does mean you can scale the cert distribution, centralize validation to one system (e.g. using DNS validation), simplify administration and avoid rate limits etc.

2 Likes