Can I update a certificate without DNS pointing at it?

I have my business website on a VPS from a hosting company. A few weeks ago the website stopped working. I am pretty sure it was their fault, as I could log into the server via ssh and find ports 80 and 433 open, but they were not accessible on the web.

It got me thinking it might be sensible to have the website on another server, from another company, so if there’s a major problem I can switch the DNS to point to another IP address.

Would I be right in assuming that Let’s Encrypt would not be suitable for the backup server, and it would be better to pay for an SSL certificate valid for as long as I can get? I would obviously not want to mess around with the DNS every 90 days so certbot could update a certificate.

Perhaps another option might be to have the same private key on each server. Would that allow the same certificates to be used? I could copy via scp every week, so the certificates are always up to date.

Realistically though, just paying for a DV certificate valid for 10 years might be less hassle

1 Like

Hi @drkirkby

Can I update a certificate without DNS pointing at it?

you can, use dns validation. But it’s not required, because

that’s enough. But not every week, only after a renew.

You can use the same certificate with different servers, if the domain name matches. So you never need a new created certificate if you have a backup server.

That’s over. (Paid) Certificates (starting 2020/09) are max. 13 months valid, Letsencrypt certificates 90.

2 Likes

90 months? :thinking: :wink:

1 Like

Why not? The dns-01 challenge is a perfectly normal way to get a certificate and your use-case is one of the many reasons for it. Assuming you’re using a provider that has a supported DNS plugin in your client, I find it way less convoluted than HTTP validation because the act of getting a cert is completely separate from the act of deploying the cert.

1 Like

When I was in a similar situation, I handled this two ways:

  1. I ran Certbot on the Primary with HTTP-01 authentication, and used a post-hook in certbot to scp the issued certificate/key from the Primary to the Backup. i also used a daily cronjob to ensure everything synced up, because I didn’t trust the hook. The certificate is tied to the domain name, not the IP or machine, so there is no concern about switching servers.

  2. I migrated to running Certbot from our office using DNS-01 authentication (with acme-dns), and then running a script that scp'd the certs onto the Primary/Backup and then restarting the webservers. It’s a bit manual, but it could be scripted. It was left manual because there was an existing bi-monthly server checkup scheduled, so this added 1 minute to the existing checklist/task.

There are other ways to handle this, these two worked for me.

1 Like

I don’t suppose some will be keen to read this, but realistically if the plan is to have a backup server, it would make sense for that server to be able to be used if there was ever a problem using Let’s Encrypt certificates, either because of the fault of Let’s Encrypt, or a browser has an update and omits the Let’s Encrypt client certificate. The cost of a basic SSL certificate is peanuts compared to the cost of maintaining a backup server.

No need to buy a certificate for that purpose @drkirkby.

For example, one might use a free Buypass certificate which also uses ACME as a backup.

1 Like

Is that a free CA? I was looking for one, and came across

which initially seemed to be a free CA, but despite the name, you actually need to pay. Then I found CaCert

http://www.cacert.org/

but claims to be a free CA, but they don’t even use SSL on their own website, which did not inspire confidence!

1 Like

Yeah, no, stear clear of "Free"SSL… They used to use Let’s Encrypt, but were bought by a party I can’t recall the name of… They went for zeh moneyz… Sellouts…

That’s because CaCerts root isn’t in the usual root stores, such as Mozilla, Google, Apple, Microsoft et cetera. As such, those certs would give a TLS error.

Yup, as far as I can tell they are for standard DV certs.

1 Like