I don’t think there’s that much coreographing required.
This is approximately what I’ve done in the past.
On the load balancer
Deploy hook (/root/deploy_hook.sh):
#!/usr/bin/env bash
set -e
for domain in $RENEWED_DOMAINS; do
# Just an example, you can use any non-sensitive storage medium you want
aws s3 cp --follow-symlinks "$RENEWED_LINEAGE/fullchain.pem" "s3://cert-storage.example.org/certs/$domain.pem"
done
Certbot invocation:
certbot-auto certonly -a apache -d example.org \
--reuse-key --deploy-hook /root/deploy-hook.sh
On the backends
12 hourly cronjob
#!/usr/bin/env bash
# Put this in crontab for every 12 hours
# Assuming Apache, and that your private key and certificate are located in
# - /etc/apache2/privkey.pem
# - /etc/apache2/fullchain.pem , respectively
set -euf -o pipefail
# Download the latest certificate to a temporarily location so we can check validity
curl -s -o /tmp/fullchain.pem https://cert-storage.example.org/certs/example.org.pem
# Verify the certificate is valid for our existing key (should be)
MOD_CRT=$(openssl x509 -noout -modulus -in /tmp/fullchain.pem | openssl md5)
MOD_KEY=$(openssl rsa -noout -modulus -in /etc/apache2/privkey.pem | openssl md5)
if [ "$MOD_CRT" != "$MOD_KEY" ]; then
echo "Key didn't match: $MOD_CRT vs $MOD_KEY"
exit 1
fi
# Deploy the certificate and graceful reload
echo "New certificate: $(openssl x509 -in /tmp/fullchain.pem -noout -subject -dates -issuer)"
cp /tmp/fullchain.pem /etc/apache2/fullchain.pem
apachectl -k graceful
–
Private keys never touch the network, no new creation of privilege. You can run Monit on the proxy or whatever existing monitoring mechanisms you have to check that the validity of the backend servers’ certificates are >14 days or whatever.