Automated deployment of key/cert from reverse proxy to internal systems

I don’t think there’s that much coreographing required.

This is approximately what I’ve done in the past.

On the load balancer

Deploy hook (/root/

#!/usr/bin/env bash
set -e
for domain in $RENEWED_DOMAINS; do
   # Just an example, you can use any non-sensitive storage medium you want
  aws s3 cp --follow-symlinks "$RENEWED_LINEAGE/fullchain.pem" "s3://$domain.pem"

Certbot invocation:

certbot-auto certonly -a apache -d \
--reuse-key --deploy-hook /root/

On the backends

12 hourly cronjob

#!/usr/bin/env bash

# Put this in crontab for every 12 hours
# Assuming Apache, and that your private key and certificate are located in
# - /etc/apache2/privkey.pem
# - /etc/apache2/fullchain.pem , respectively

set -euf -o pipefail

# Download the latest certificate to a temporarily location so we can check validity
curl -s -o /tmp/fullchain.pem

# Verify the certificate is valid for our existing key (should be)
MOD_CRT=$(openssl x509 -noout -modulus -in /tmp/fullchain.pem | openssl md5)
MOD_KEY=$(openssl rsa -noout -modulus -in /etc/apache2/privkey.pem | openssl md5)
if [ "$MOD_CRT" != "$MOD_KEY" ]; then
  echo "Key didn't match: $MOD_CRT vs $MOD_KEY"
  exit 1

# Deploy the certificate and graceful reload
echo "New certificate: $(openssl x509 -in /tmp/fullchain.pem -noout -subject -dates -issuer)"
cp /tmp/fullchain.pem /etc/apache2/fullchain.pem
apachectl -k graceful

Private keys never touch the network, no new creation of privilege. You can run Monit on the proxy or whatever existing monitoring mechanisms you have to check that the validity of the backend servers’ certificates are >14 days or whatever.

1 Like