Do I have to generate my certs on the same hosts where the domains reside?

HippoMan · December 24, 2020, 5:20am

I manage the DNS for a few different hosts, and I'm wondering if I have to generate the certs for each domain from the host on which the domain resides.

I use "manual auth" with TXT-record-based authentication, so I'm wondering if I could generate the certs for all the domains on one host, and then just scp the key and pem files to the appropriate machines.

It would be ideal for me if I could do this, because one of my hosts is faster and has more capacity, and it's the one where the DNS server resides.

Is this a possibility? Or does the host on which the certs are requested have to be the same host on which the domain resides?

Thank you very much.

orangepizza · December 24, 2020, 6:13am

in DNS challenge only thing LE cares about is DNS server replay with right record, so you can update dns record remotely you can use client on any machine. actually you can do that in your desktop too if you want.

Osiris · December 24, 2020, 7:14am

Yes, it's one of the advantages of the dns-01 challenge. It's possible with the http-01 challenge too with redirects, but that's harder to set up, as the dns-01 challenge is already build "by design" to be validated on different hosts than the certificate issuing host, as DNS servers often are different hosts.

I would recommend to automate the DNS challenge too by the way. All that manual tinkering is quite laboursome and if all employees who know how to do it are on holiday (for example) and a cert expires, you're in trouble.

HippoMan · December 24, 2020, 3:11pm

Many thanks to both of you!

This makes my life a lot easier, and it also allows me to manage the certs for my Debian 8 host on which certbot is not supported. The host I will run this on uses Debian 10.

When I said "manual", it's actually through the use of "--manual-auth-hook", which means that it's automated.

I laugh about the name "manual auth hook" which actually is a non-manual procedure.

Osiris · December 24, 2020, 5:16pm

Yes, it sounds quite contradictory indeed. I guess the reason for this is that the auth hook and cleanup hook are build into the manual plugin when the manual plugin already existed. If I recall correctly, there was a plugin called "script" or something like that earlier for those hooks, but it was decided that it would make sense to combine the manual and script plugin into a single plugin.

HippoMan · December 25, 2020, 1:14am

I figured that the naming was probably due to something like that. I just like the irony of the name.

Anyway, I have now set this up on my Debian 10 host for all of my domains which are hosted on all my machines, and it's working great.

Thanks again.