Certificates for Backup Servers

johnrb68 · July 16, 2019, 7:04am

Has anything improved with Certbot to make it any easier to handle backup servers yet?

I have 4 servers (2 main, 2 set up for failover backup), plus 2 other servers.

phineas.my-domain.com (my-domain.com main)
ferb.my-domain.com (my-domain.com backup)
perry.my-domain.com (eu.my-domain.com main)
doofenshmirtz.my-domain.com (eu.my-domain.com backup)
candace.my-domain.com (utility server with a few other domains)
carl.my-domain.com (email server)

I can get Certbot to work fine on the main servers, but not the backup servers because the domains don’t point to the backup servers unless there is a failover on the main servers (automatic through DNS Made Easy).

Last time I asked about this, I was told the only way was to copy the certificates over from the main to the backup servers every 90 days. So either I have to manually do this every 90 days, or set up rsync and a cron job to do this (plus some file management because I don’t want rsync to have direct access to root folders).

Are there any other easier options now?

I wish there was something I could do to let Certbot know these are backup servers so I don’t have to jump through these extra hoops to try and get this to work on the backup servers, and just let Certbot take care of things.

Thank you.

_az · July 16, 2019, 7:11am

I don’t think the Certbot project is ever going to prioritize this kind of setup, really. I don’t think anything has changed at all to make this easier.

What webserver do you use? If it’s something with a flexible configuration language like nginx, you can just configure all of your servers to respond to challenges statelessly (like this) and share the ACME account private key between your main and backup servers (a one-time action).

No more authenticator required, no coordination or file synchronization required. Every server will be able to issue and renew certificates regardless of whether it is actively serving traffic for the domain or not.

mnordhoff · July 16, 2019, 7:42am

You could use DNS validation – Certbot has a DNS Made Easy plugin, though it may or may not be easy to install on your OS.

johnrb68 · July 25, 2019, 3:45pm

Thank you, I might be able to get that to work. I didn’t know about that.

system · August 24, 2019, 3:45pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certbot Certificates for both Main and Backup servers Help	3	635	June 29, 2020
Certificates for Postfix backup server Server	10	2539	March 29, 2017
Need help with certbot Help	44	1933	October 8, 2021
Certificate for another server Help	5	12807	December 27, 2019
1 domain, 3 servers and 1 cert Help	6	566	June 3, 2021

Certificates for Backup Servers

Related topics