Sorry if this is a beginner question. I am switching from a commercial certificate to CertBot/Let's Encrypt. We have 4 servers running Apache2, Exim4, and Dovecot, all with SSL. We have been purchasing a wildcard certificate and using a duplicate for each service (for each service, the same certificate on all 4 servers).
In preparing to move to CertBot, I have managed to generate a wildcard and duplicates for WWW and Mail using 'certonly' and '--manual'. Now that I understand the 90 day lifespan limit, I will need to automatically install renewed keys/certificates every 60 days.
My questions are more general - I'd like to understand the best way to deploy CertBot in a multiple server topography like mine:
There is a plug-in to install certificates for Apache. Is there anything for Exim4 and Dovecot? Or a template plug-in that I could configure/customize?
A wildcard certificate is a good thing in this situation, right?
Should I run CertBot on one server, or on all 4? (Assuming that if I run CertBot on each of my 4 servers, I assume each service on each server will have it's own duplicate?)
No, but if I hear you correctly, you already have the knowledge of installing a commercial certificate to those services. Not really any different with Let's Encrypt/Certbot to be honest.
Probably not. Wildcards often aren't necessary and in your case it'll probably limit your auto-renewal capabilities due to the fact you're using --manual, which isn't automatable without hook scripts for the challenge. You're probably better off without the wildcard and using the http-01 challenge instead of the dns-01 challenge for the wildcard.
4 certificates is awfully close to the rate limit of 5, so my recommendation would be to script an automated deployment script from server A to servers B, C and D.
Assuming those 4 hosts are using 4 separate hostnames of course (Although if that is not the case, I don't understand need for a wildcard certificate completely, so you're probably right )
BTW, this inquiry is for an academic setting - we're trying to move away from commercial certificates for budgetary reasons. Auto-renewal vs. yearly manual renewal is also attractive.
Regarding the number of certificates: In my DNS all 4 servers are aliased as www.x.y.z and mail.x.y.z. Each server also has individual hostnames for its IP address. When I requested the duplicates I included all of the names for all 4 servers in the -d parameter.
Regarding 'certonly --manual', I started with this just to figure out how to work with CertBot and what the certificates would look like. For auto-renewal I think I'd still prefer DNS-01, but mostly I need dependable.
Where x.y.z is identical for all 4 hosts? Or different for all 4 hosts?
Anyway, the DNS-01 challenge is a good option, especially for wildcard certificates. (Although I'm not sure I see the indication for a wildcard certificate here.) If you're worried about 4 certificates being almost 5 regarding the duplicate certs rate limit, you could add the host-specific hostname to each cert individually. That way the embedded hostnames aren't duplicates any longer, so they will only count a single time for the duplicate cert rate limit. They would however count towards the certs per domain rate limit, but currently the max for that is 50 per week.. So not really an issue.
)