Cert(s) for two servers handling one domain


#1

I have two servers, both handling the same domain (www.richw.org). They are both Ubuntu/Apache systems.

I’ve set up a Let’s Encrypt certificate for one of the servers. How should I set up the other server so that it will use the same certificate? Should I just copy the /etc/letsencrypt directory tree from one to the other (e.g., by using “rsync”)?


#2

rsync-ing /etc/letsencrypt after each renewal and replicating the configuration changes of your apache config would be an option. A few more things you’d have to think about:

  • You’ll need a way to trigger a (graceful) reload of apache after each renewal, in order for the new certificate to be loaded. A simplistic approach might be to just gracefully reload apache daily (it’s a fairly cheap operation that doesn’t involve any downtime anyway).
  • If you use http-01 or tls-sni-01 challenges (for example via certbot's webroot, standalone or apache plugin), you cannot predict which of your two servers will receive the validation request. If it’s the wrong one, the validation will fail. This means you’ll either need to have an active/standby setup, where only one of your servers is active at a time so you can predict which one will receive the validation request (so you can run the client on that server), or you’ll need to adopt the method described in the Integration Guide (which contains a lot of other details that might be interesting for your use-case!). Using dns-01 would be a good workaround for this as well.

#3

In addition to the HTTP redirect method that @pfg is talking about above, you should also be able to proxy requests from the non-certbot server’s /.well-known directory onto the certbot server’s /.well-known/ directory. sometimes that is easier, because you don’t have to touch the DNS records and can just handle things via IPs behind-the-scenes.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.