I made a tool for this aswell:
which works out of the box both for certbot and ACME.sh
However, you have to use static private keys on main certbot ACME client and also transfer the private keys to the sub-servers by sneakernet (USB or similiar)
@sebastiannielsen I moved your post to its own thread. We like each unique problem or topic to be its own. Your tool is very different than the other thread's and it will be clearer if all comments remain with their respective tool.
yeah, its OK, I just didn't know where to place it since its not a "client" but a "server" more. So when someone started a thread about it, I tought it would be better to have all solutions for "distributing certs to subservers" in one place.
It is a reasonable thought but there are numerous threads here that discuss that as well as strategies for large deployments. A place to consolidate tooling beyond ACME clients and monitoring might be useful. But, there isn't a thread, page, or wiki like that.
Interesting! How does the private key part work, do you just re-use the same private key for everything?
I mentioned that in the post - "However, you have to use static private keys on main certbot ACME client and also transfer the private keys to the sub-servers by sneakernet (USB or similiar)"
So you just use a static private key, that you pre-distribute securely.
Using a static private key also enables using TLSA records with 3 1 1 without having to update DNS aswell.