Centralization vs local


I have about 100 websites which are all serviced using docker containers. Each container has it’s own docker volume for persistent storage where the site data and certificate being used is stored. The entire stack is on AWS ECS using Rex-Ray to handle the creation of each volume required when a site is deployed into the cluster. Today, when deploying a container the docker entrypoint script handles the setup of the certificate using DNS validation and certbot and the Route53 plugin.

This means that each container manages it’s own certificate and if the site is site does happen to get compromised in some fashion then exposure is limited to the container. However, it does make handle certificates somewhat of a chore, even though I’ve automated much of it. I’ve thought about centralizing the certificate process but wasn’t keen on having all the certificates located in one place due to security. I guess because I’m doing DNS validation only I can run the centralized store on a private host instead.

What are your experiences with centralized vs local ??? Are you concerned with having all the cert for various sites stored in a single location??



The neat thing about this is that certificates are public information. They’re sent to every device that visits those domains, and they’re all published in public certificate transparency logs.

The tricky bit here is the private key, you need to keep that safe.

With Certbot you can use --reuse-key while issuing and renewing, and pre-distribute the private key to each of your clusters. Each cluster can pull the latest certificate from a central/public place. When the certificate renews, you only need to pull the new certificate (key remains the same). That way, you do not risk leaking any sensitive information.

If you take a look at some Docker/Kubernetes-native solutions that automate ACME, they basically just store both the certificate and private key in authenticated shared storage within the cluster of hosts.

closed #3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.