I wonder what’s the best way to distribute a certificate to other VMs / computers. Are there some howtos for good solutions?
Currently I generate them on the host and move them in the filesystem of containers. Now I use more full VMs and need a way to transfer them securely.
I could create accounts, which can be used to copy (scp, sftp, rsync) the files there, but the same account could be used to extract the certificate (and key!) again and the private ssh key needs to lie on the server requesting the certificate.
Another option would be not to rotate the key and just distribute the updated certificate, which is not confidential, i.e. by downloading it on the receiving VM via http. But key rotation is a good thing.
Are there any howtos or best practices for distributing updated certificates to remote machines?
That is not a question about certificates as such. It’s also not quite clear what exactly you mean by “but the same account could be used to extract the certificate (and key!) again”, at least assuming that permissions are set up correctly and you are not just handing access out to everyone. In any case, if you are looking for something more advanced that scp/rsync (and don’t want to try something like git-crypt, shared mount points, etc), you might consider configuration management systems (Puppet/Ansible/Salt/whatever). Though to just use them for certificate files distribution feels like an overkill.
I am currently setting up ansible, but I want to run something from a post-hook of letsencrypt, which distributes the needed files. Ansible seems not that suitable for this.
The other part is, that automatic key distribution needs some kind of automatic access, so password/ssh-key/whatever needs to be stored on the machine running certbot. This means, that this machine has a lot more access than I would like it to have.
The best method would be some one-way push, which allows certbot to push certificate and key, but nothing else. And explicitely no read-access to something on the remote machine.
I do not think I am the first to deploy with such a distributed setup, so probably there are already some best-practices and I do not need to reinvent everything ;-).