Hi everyone,
I’d like to clarify the recommended approach for certificate renewal in a setup where multiple systems (e.g. a local reverse proxy and a cloud-based security layer) serve HTTPS for the same domain.
My goal is to have certificates always valid on both systems, ideally with automatic renewal.
From what I understand, there are two possible approaches:
- Each system independently obtains and renews certificates via Let's Encrypt
- A single system handles certificate issuance/renewal, and the certificate is then distributed to the other systems
My questions are:
- Is it supported or recommended to have multiple systems independently renew certificates for the same set of domains?
- Could this approach lead to rate limits or validation conflicts?
- Is the only reliable approach to centralize certificate renewal and distribute the certificate to all systems?
- In such a centralized model, is there any recommended pattern to keep certificates in sync across systems while maintaining automation?
The goal is to achieve a fully automated and reliable renewal process without hitting rate limits or introducing unnecessary complexity.
Thanks in advance for your guidance!
Welcome @alexremondini. Yes, you have a good understanding of your options.
You can do that subject to rate limits. The more likely one is a max of 5 identical certs in the past week. If you only have two systems acquiring certs you would only exceed that if you mess up. See: Rate Limits - Let's Encrypt
No, both centralized acquisition or your example of two systems can both be reliable. It really depends on your admin skills and comfort with the ACME tools and your systems.
The is no specific recommendation as this depends on your requirements. Anything from simple copies to your target or pulling the key/cert from a central repository. Along with reloading the service, if needed, once it gets a fresh cert.
Personally I'd lean towards having one location acquiring your cert and sort out the distribution. Systems tend to grow and change and this keeps you more in control of that. However, if your Cloud security product handles ACME cert management really well that offsets that concern.
Hi @MikeMcQ, thank you for the clear and detailed explanation.
Another way is to lock the private key in certbot (--reuse-key), then copy the private key to the second server by "sneakernet" then you can fetch the certificate in your other servers with a command like:
openssl x509 -in <(openssl s_client -showcerts -servername _YOURDOMAIN_ -connect _YOURDOMAIN_:443 -prexit 2>/dev/null </dev/null) -out /path/to/certificate/location.pem
which then fetch the certificate from the SSL endpoint from your "main" server.