I have about 20-30 subdomains being hosted on various systems (mostly Apache, some Nginx) which sit behind an Apache reverse proxy. Setting up the reverse proxy machine to obtain HTTPS certs was fairly trivial, but now comes the problem of Google and Mozilla’s changes to their web browsers which require me to have HTTPS also be available inside the network.
Is there an automated and reasonably secure way to deploy the certificates to the other systems behind the proxy?
The methods I have considered and discarded:
- simply re-run certbot on each machine (prohibited by rate limiting, but easily the best option)
- rsync from proxy to each system (very insecure)
- configure an http server which contains the key/cert only available on the local network with a script on each of the other machines to copy updated keys (complicated, huge security issues)
- somehow upload the key/cert to a different machine inside the network on renewal and somehow inform the internal servers so they can download them and re-deploy (really complicated)
I looked into doing this with Jenkins as well, but I couldn’t find something ready-made to do the job. If anyone knows of something, the help would be greatly appreciated!