Distributed setup

BlueSky · July 12, 2019, 11:07am

Hi All

Trying to figure out a solution for this, could do with some advice.

Have one website running on two web servers with two load balancers,
I think when I need to auto renew the cert, I will have copy it to all of the
servers and restart the services, have seen something about hooks,
but can not figure out how they work, are they scripts that are run
if so where do I put the scripts and how does certbot-auto run them,
also the certs are all pem files so I need to convert them to crt and key
files before copying.

Thanks in advance.

Phil · July 12, 2019, 3:27pm

Hi @BlueSky,

Common extensions used for PEM encoded certificates are .cer, .crt, and .pem though on a *nix based system the extensions aren’t required.

Regarding certbot hooks, please review the documentation at https://certbot.eff.org/docs/using.html?highlight=hook#pre-and-post-validation-hooks.

You could automate distributing the cert via shared storage like an NFS mount, rsyncing over ssh, etc.

BlueSky · July 15, 2019, 8:33am

Hi

Thanks Phil

I have started on the scripts, small problem, if I test a renew and the SSL is not due for renewal nothing happens, is there a test system or someway of forcing the SSL to expire, keeping in mind I may
need to force it to expire quite a few times in one day if the scripts need changes?

_az · July 15, 2019, 8:37am

If you are using --post-hook, you can use --dry-run. However it won’t work with --deploy-hook. Which are you using?

Relevant feature request : https://github.com/certbot/certbot/issues/5658

BlueSky · July 15, 2019, 8:57am

Hi

I was planning to use --deploy-hook to copy the SSL cert and key file to the other servers.

_az · July 15, 2019, 9:00am

Well, in the absence of a proper solution, maybe it’s worth writing a short shell script that can serve as a testing harness.

For example,

#!/usr/bin/env bash
export RENEWED_LINEAGE=/etc/letsencrypt/live/example.org
export RENEWED_DOMAINS="example.org www.example.org"

/path/to/your/deploy/hook.sh

BlueSky · July 15, 2019, 9:07am

Hi

FYI DNS is in Cloudflare so I was looking at something like:

certbot-auto certonly --manual --preferred-challenges=dns --manual-auth-hook /path/to/dns/authenticator.sh --manual-cleanup-hook /path/to/dns/cleanup.sh --deploy-hook /path/to/deploy.sh -d mydomain.com -d *.mydomain.com

system · August 14, 2019, 9:07am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.