Copy wildcard to a second server

Hi to all,

I currently have a VM running Nginx. I've already managed to create cert through dns-challenge.
Now I'd like to share the cert with another VM

What I'd like to do is copy fullchain.pem and privkey.pem to the new machine with scp or rsync from ssl_certificate /etc/letsencrypt/live/my-domain/...

Do I need install certbot also on the new machine?
Is that enaough or I need to copy the entire /etc/letsencrypt folder?

I've already created an automatic cron job for renewal. As soon as a new certificate is renewed i think I'm going toi place a script into /etc/letsencrypt/renewal-hooks/post/ that will copy it into the new machine and restart nginx.
Do I need to lock files in the new machine with root permission?

Thanks for any help

No.

It depends on your setup and configuration. Be aware that Certbot uses this storage pattern: the actual files use versioned filenames under /etc/letsencrypt/archive/{CERTNAME}/, while the "current" certificates use the basic filenames and are symlinks to /archive and located under /etc/letsencrypt/archive/{CERTNAME}/live.

In many situations, the easiest way to handle this is to keep the entire /etc/letsencrypt/ synced. You don't really have to think much when you do that.

My personal preference to handle servers like this is to only copy over the current certificates to unversioned filenames on the second server.

The required permissions depend on the server you're using. I don't think nginx cares as long as it can read the files on startup.

Note: You can either "push" the new certs from the first to second server, or "pull" from the second to first. Running a "pull" process on the second server as a cronjob is usually easier, because you can just rsync && restart every day a bit after the first server runs certbot renew. I think "push" is the better option, but restarting the second server can be too complex depending on your experience level.

A similar option is to have both systems read Certificates from a shared storage (cloud, block, nfs, etc), and run cronjobs to restart nginx if the files were recently modified.

3 Likes

ok thanks.

almost all clear.

I can copy all the folder or the real cert file. If I understand correctly the real cert is located unnder archive folder

my prefernce is to scp from first server to the second on a specific folder after immediatly renew and monitor that folder on the second server with inotify. Once a new file appear I'll run a script that move the certificate to the right location, create the RIGHT permissions and restart nginx.

I don't really like having a shared folder between server

thanks for your suggestions and please correct me if I'm saying something wrong

1 Like

Ok. You're clearly experienced in this stuff. Most people here aren't. That will work.

Yes. Just to be clear with an example...

The filestructure will look like this before renewal:

  • /etc/letsencrypt/archive/example.com/
    • ...
    • cert6.pem
    • chain6.pem
    • fullchain6.pem
    • privkey6.pem
  • /etc/letsencrypt/live/example.com/
    • cert.pem > ../../archive/example.com/cert6.pem
    • chain.pem > ../../archive/example.com/chain6.pem
    • fullchain.pem > ../../archive/example.com/fullchain6.pem
    • privkey.pem > ../../archive/example.com/privkey6.pem

And after renewal:

  • /etc/letsencrypt/archive/example.com/
    • ...
    • cert6.pem
    • chain6.pem
    • fullchain6.pem
    • privkey6.pem
    • cert7.pem
    • chain7.pem
    • fullchain7.pem
    • privkey7.pem
  • /etc/letsencrypt/live/example.com/
    • cert.pem > ../../archive/example.com/cert7.pem
    • chain.pem > ../../archive/example.com/chain7.pem
    • fullchain.pem > ../../archive/example.com/fullchain7.pem
    • privkey.pem > ../../archive/example.com/privkey7.pem

So you'll see (i) the addition of a new versioned filename into /archive and (ii) an update of the symlink under /live.

If you start nginx as root, the privs shouldn't really matter, even if is configured to shed privileges and run as another user - that happens after startup. If you start nginx as another user, that user will require read privileges.

4 Likes

Jvanasco said it correctly. You have the right idea, and need not be afraid to just "go for it". I do exactly this daily, with cron and rsync. nginx, if rebooted or reloaded as root, will do the correct thing.

5 Likes

Will the name on the cert cover the use of the new VM?

2 Likes

Yes it does. It is a wildcard for subdomian of the type *.example.com

2 Likes

many thanks for the calrification. very usefull.
thanks for your time

2 Likes