Distributed setup

Hi All

Trying to figure out a solution for this, could do with some advice.

Have one website running on two web servers with two load balancers,
I think when I need to auto renew the cert, I will have copy it to all of the
servers and restart the services, have seen something about hooks,
but can not figure out how they work, are they scripts that are run
if so where do I put the scripts and how does certbot-auto run them,
also the certs are all pem files so I need to convert them to crt and key
files before copying.

Thanks in advance.

Hi @BlueSky,

Common extensions used for PEM encoded certificates are .cer, .crt, and .pem though on a *nix based system the extensions aren’t required.

Regarding certbot hooks, please review the documentation at https://certbot.eff.org/docs/using.html?highlight=hook#pre-and-post-validation-hooks.

You could automate distributing the cert via shared storage like an NFS mount, rsyncing over ssh, etc.

Hi

Thanks Phil

I have started on the scripts, small problem, if I test a renew and the SSL is not due for renewal nothing happens, is there a test system or someway of forcing the SSL to expire, keeping in mind I may
need to force it to expire quite a few times in one day if the scripts need changes?

If you are using --post-hook, you can use --dry-run. However it won’t work with --deploy-hook. Which are you using?

Relevant feature request :frowning: : https://github.com/certbot/certbot/issues/5658

1 Like

Hi

I was planning to use --deploy-hook to copy the SSL cert and key file to the other servers.

Well, in the absence of a proper solution, maybe it’s worth writing a short shell script that can serve as a testing harness.

For example,

#!/usr/bin/env bash
export RENEWED_LINEAGE=/etc/letsencrypt/live/example.org
export RENEWED_DOMAINS="example.org www.example.org"

/path/to/your/deploy/hook.sh

Hi

FYI DNS is in Cloudflare so I was looking at something like:

certbot-auto certonly --manual --preferred-challenges=dns --manual-auth-hook /path/to/dns/authenticator.sh --manual-cleanup-hook /path/to/dns/cleanup.sh --deploy-hook /path/to/deploy.sh -d mydomain.com -d *.mydomain.com