Hi, so I have an old website I’m trying to get working with SSL very quickly, thanks to the latest Chrome update.
I have two A records for the domain which go to two separate servers. I’ve managed to get certbot to acquire certificates for both simply by running it repeatedly ony both until it randomly chose the correct IP for the server…
I know this is a hackish approach and not the correct way to get multiple A records to work, but my question is, is it good enough for now? Will the certificates renew correctly in the future? Is there anything I missed that will mean this doesn’t work? (I assume I have two different certificates but they are both equally valid?)
I have read about the correct way to do this, but since this is an old website I’m currently rebuilding, I’d rather save my efforts for the new version…
You do have two certificates which are equally valid. However, renewal generally requires re-testing your control over the domain name, which means its probability of success is also only half. If you use an unattended renewal with certbot renew, each one may have a 50% chance of failure.
That might actually be OK because our recommended cron job would run twice per day, and so it would probably eventually succeed (if you created, or allowed an OS package to create, a recommended certbot renew cron job). However, you should understand that the renewal process runs the same kind of domain control validation as the initial issuance does, so it's subject to the same failure mode.
If you’re using HTTP-01 validation, some web servers (e.g. Nginx) should make it very easy to do “serve the file if it exists, or redirect to http://other-server.example.net/ if it doesn’t”. That would fairly easily allow reliable HTTP-01.