I currently have a VM running Nginx. I've already managed to create cert through dns-challenge.
Now I'd like to share the cert with another VM
What I'd like to do is copy fullchain.pem and privkey.pem to the new machine with scp or rsync from ssl_certificate /etc/letsencrypt/live/my-domain/...
Do I need install certbot also on the new machine?
Is that enaough or I need to copy the entire /etc/letsencrypt folder?
I've already created an automatic cron job for renewal. As soon as a new certificate is renewed i think I'm going toi place a script into /etc/letsencrypt/renewal-hooks/post/ that will copy it into the new machine and restart nginx.
Do I need to lock files in the new machine with root permission?
It depends on your setup and configuration. Be aware that Certbot uses this storage pattern: the actual files use versioned filenames under /etc/letsencrypt/archive/{CERTNAME}/, while the "current" certificates use the basic filenames and are symlinks to /archive and located under /etc/letsencrypt/archive/{CERTNAME}/live.
In many situations, the easiest way to handle this is to keep the entire /etc/letsencrypt/ synced. You don't really have to think much when you do that.
My personal preference to handle servers like this is to only copy over the current certificates to unversioned filenames on the second server.
The required permissions depend on the server you're using. I don't think nginx cares as long as it can read the files on startup.
Note: You can either "push" the new certs from the first to second server, or "pull" from the second to first. Running a "pull" process on the second server as a cronjob is usually easier, because you can just rsync && restart every day a bit after the first server runs certbot renew. I think "push" is the better option, but restarting the second server can be too complex depending on your experience level.
A similar option is to have both systems read Certificates from a shared storage (cloud, block, nfs, etc), and run cronjobs to restart nginx if the files were recently modified.
I can copy all the folder or the real cert file. If I understand correctly the real cert is located unnder archive folder
my prefernce is to scp from first server to the second on a specific folder after immediatly renew and monitor that folder on the second server with inotify. Once a new file appear I'll run a script that move the certificate to the right location, create the RIGHT permissions and restart nginx.
I don't really like having a shared folder between server
thanks for your suggestions and please correct me if I'm saying something wrong
So you'll see (i) the addition of a new versioned filename into /archive and (ii) an update of the symlink under /live.
If you start nginx as root, the privs shouldn't really matter, even if is configured to shed privileges and run as another user - that happens after startup. If you start nginx as another user, that user will require read privileges.
Jvanasco said it correctly. You have the right idea, and need not be afraid to just "go for it". I do exactly this daily, with cron and rsync. nginx, if rebooted or reloaded as root, will do the correct thing.