Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My web server is (include version): Apache 2.4.37-21
The operating system my web server runs on is (include version): CentOS 8.1.1911
I can login to a root shell on my machine (yes or no, or I don't know): Yes.
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No.
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.8.0
I've installed Certbot on a new CentOS 8 VM; my questions are of process and best practice. I have multiple servers, mostly using subdomains of douganconsulting.com (e.g. sc.douganconsulting.com). Some are Windows, the others Linux.
Is best practice to run separate Certbot instances on each machine/VM requiring a certificate, or to set up all the required domains and subdomains on a central server and copy the certs each time they change? If the latter, is it possible to automate that?
A supplementary question - is it better to have separate certs for each subdomain, or use a wildcard?
I think it depend on how many certificate / instance you had. If you have more than 50 instance or subdomains that needed to secure (maybe even more than 10 subdomains) it's probably better to issue at one central location and push certificate to each server.
I feel like some bash scripts can achieve the automation part, but it's more on security (aka how do you make sure other servers / users aren't able to retrieve the certificate / key), which i don't have suggestions on.
In my own sense, it's better to use a wildcard certificate because it will avoid some secret systems (such as home monitoring system or some super important system) to be discovered simply by pulling certificate transparency logs (there are other ways...) or purely annoying when someone went to some unexpected subdomains. Having a central system + wildcard certificate will also reduce the possibility of hitting a rate limit and / or when you have trouble renew for any instance (However it will introduce other issues, such as "The machine failed to transfer / pull / push certificates" )
P.S. I would like to add: my opinion is purely unprofessional, and please just use that as a suggestion...