I have a few certs that I am creating (one domain with several subdomains, for those who are curious) that will be spread across different machines. Is there a way that I can install LetsEncrypt on a single machine and move the certs/keys/whatever around once they’re generated to each other machine or do I really need to install LetsEncrypt on each individual machine that requires a cert?
I’ve seen a few posts that partially address this, but nothing that can be used for a reference unless you already understand the process and what is required >_>
Thanks for the quick reply Osiris. Sad to hear (but good to know) there aren’t any well known existing tools out there for this
Let’s say I have “server A”, where I install Let’s Encrypt and “server B” where I am hosting one subdomain.
My understanding is that Let’s Encrypt works on a challenge (Let’s Encrypt explaination), so as long as it sees the correct thing on the correct page, it doesn’t actually care where it’s looking or how it got there–meaning that as long as the query hits Server B and sees the correct page, it works. So this means I’ll need to move the page from Server A (where Lets Encrypt generates it) to Server B (where the request will be router).
This means that I will also have to move the private key at some point as well–and I suppose somehow have Server B aware of the key? I assume the 1st part is as simple as copying a file (wherever that may be) & the 2nd part depends on what web server you’re using, but probably just needs the private key to be in the right place?
Does this sound about right? Am I drastically oversimplifying? Am I missing steps? Thanks for the help
Hey rg305. I’m not understanding what you’re asking, so I’m assuming I’m not clear explaining what I’m trying to do.
Let’s say I have 3 different machines, each running a different subdomain of a common website. Rather than install Let’s Encrypt on each machine, I’d rather just install Lets Encrypt on a single machine and move files around. This means I install Let’s Encrypt once, run it 3 times (one for each subdomain) and move that private key to the correct server so that it’s on the correct subdomain. This seems easier (to me) than needing to repeatedly run Let’s Encrypt on multiple machines every time I need to upgrade or change something.
OK, I see the point on “when things go wrong” complexity can be a deterrent.
So, let’s try to keep it simple and yet in a manner that can scale and be functional.
How about a very low use dedicated instance (probably can get one for free).
That will only do the renewals. [so your trouble shooting is in only one place]
Then use RSYNC to copy the necessary file - or the entire path - from each of the servers needing certs.
That scales To infinity and beyond!
Troubleshooting will be a single client on a single system.
Can’t make that any simpler.
So choose a simple client with a good community and support and your set.
Well that and you have to make RSYNC your friend - but that is simple (and encrypted too).
Just my 2 cents…
There are many solutions to this type of problem.
None are hard set simply because there are so many variables that it is impossible to issue a one-size-fits-all solution.
@coatmaker618, after re-reading your posts, it seems clear that you don’t yet fully understand the authentication process. As you have included passing the private key around as a possible requirement for authentication.
Let me add some clarity.
The private key is not used in the authentication process. HTTP authentication requires that a specific file with specific content be placed in a specific location.
The file and the content are negotiated by the ACME client and server. [one-time use only]
The location is always http://<your.fqdn>/.well-known/acme-challenge/<file-name>
But LE will follow challenge request redirects, so that location can be “moved” to any other FQDN, another path, and to TLS (port 443) if so desired.
it seems clear that you don’t yet fully understand the authentication process. As you have included passing the private key around as a possible requirement for authentication.
Ok, I think I’m confusing authentication of Let’s Encrypt with the TLS encryption? Because the whole point of the Let’s Encrypt challenge (putting a file at: http://<your.fqdn>/.well-known/acme-challenge/<file-name>) is to verify that you actually own the domain? And once ownership is established, you get a private key & send Lets Encrypt your public key. Then you (only) use your private key every time someone tries to browse to your webpage via HTTPS.
So I see that you can authenticate with Lets Encrypt without moving your private key around. Thanks for clearing that up!
An ACME client (“client”) creates a private key/public cert pair.
Then tries to get it signed by a trusted CA (“LE”) [so all can trust it].
LE must verify ownership (in this case by HTTP authentication).
Client passes LE the public cert to be signed and LE sends back a “proof” file.
(“put this file with this content in this specific location and I will believe you are who you say you are”)
Client places file in said location and asks LE to verify.
LE tries to verify file:
Pass = LE returns a signed cert and all are happy.
Fail = LE returns error code(s) and all are unhappy