There are various types of cluster, for example, active-active with multiple DNS entries or load balancers and also active-passive with floating IP or similar failover arrangements.
There are various discussions online about how to use Let’s Encrypt to generate a certificate and distribute it within a cluster.
It is generally best practice to generate the private key on a server and keep it there with very tightly controlled permissions. The private key is never sent to a CA, only a CSR is sent to a CA. However, in many of the examples for clustering, people suggest obtaining a single certificate and then using some scripts to replicate both the certificate and private key to all the other cluster nodes. Many of the replication strategies I’ve seen mentioned aren’t ideal for private keys, some of them actually transport the key un-encrypted over the network.
Does Let’s Encrypt encourage this approach, creating one key pair and replicating it, or is it intended that each node in a cluster should generate its own key pair and CSR?
In the case of replicating the private key and certificate, what methods are recommended?
In the case of creating different key pairs for each node, does Let’s Encrypt issue multiple certificates that are valid concurrently? How would the validation process work in such cases? For example, with dns-01 validation, would the client (e.g. certbot) need to implement some mechanism to serialize the requests to ensure that two or more nodes don’t try to create the TXT record at the same time?