Do I have to generate my certs on the same hosts where the domains reside?

I manage the DNS for a few different hosts, and I'm wondering if I have to generate the certs for each domain from the host on which the domain resides.

I use "manual auth" with TXT-record-based authentication, so I'm wondering if I could generate the certs for all the domains on one host, and then just scp the key and pem files to the appropriate machines.

It would be ideal for me if I could do this, because one of my hosts is faster and has more capacity, and it's the one where the DNS server resides.

Is this a possibility? Or does the host on which the certs are requested have to be the same host on which the domain resides?

Thank you very much.

2 Likes

in DNS challenge only thing LE cares about is DNS server replay with right record, so you can update dns record remotely you can use client on any machine. actually you can do that in your desktop too if you want.

4 Likes

Yes, it's one of the advantages of the dns-01 challenge. It's possible with the http-01 challenge too with redirects, but that's harder to set up, as the dns-01 challenge is already build "by design" to be validated on different hosts than the certificate issuing host, as DNS servers often are different hosts.

I would recommend to automate the DNS challenge too by the way. All that manual tinkering is quite laboursome and if all employees who know how to do it are on holiday (for example) and a cert expires, you're in trouble.

5 Likes

Many thanks to both of you!

This makes my life a lot easier, and it also allows me to manage the certs for my Debian 8 host on which certbot is not supported. The host I will run this on uses Debian 10.

When I said "manual", it's actually through the use of "--manual-auth-hook", which means that it's automated.

I laugh about the name "manual auth hook" which actually is a non-manual procedure. :slight_smile:

3 Likes

Yes, it sounds quite contradictory indeed. I guess the reason for this is that the auth hook and cleanup hook are build into the manual plugin when the manual plugin already existed. If I recall correctly, there was a plugin called "script" or something like that earlier for those hooks, but it was decided that it would make sense to combine the manual and script plugin into a single plugin.

3 Likes

I figured that the naming was probably due to something like that. I just like the irony of the name. :slight_smile:

Anyway, I have now set this up on my Debian 10 host for all of my domains which are hosted on all my machines, and it's working great.

Thanks again.

3 Likes