So I successfully managed to get a high level example.com domain, and a home.example.com certificate for one machine that I have publicly available.
I now have another machine that I’d like a certificate for under machine.example.com.
Should this come under the other certificate renewal, and I copy the cert files to the other machine for use? Or should this machine make requests itself and manage itself?
up to you
it really comes down if machine.example.com has internet wide availability
You can use different challenges if you want on your initial machine.
Andrei
There’s a security benefit in principle if each machine capable of getting its own certificate gets a separate certificate and uses a separate private key, because then, among other things, attacks against the individual machines don’t threaten the security of connections to the other machines. However, it’s not always the most convenient thing to work this way.
The machine.example.com is not exposed to the outside world usually.
So can I confirm, for a renewal, do the challenges have to be performed again, or are they only for the initial verification?
They have to be performed all over again.
(An authorization is valid for a certain amount of time, but it will have expired long before you typically want to renew.)
Can you use the DNS challenge method by updating the DNS zone? Then you don’t have to receive incoming connections on the other machine to pass the challenge.
So I used the DNS challenge yesterday to get the initial authorisation, would I just leave that in effect on my domain so that when renewal time comes it authenticates again?
If so I can do that fairly easily.
You can continue to use DNS-01, but next time you renew, the random DNS record value will be different. Leaving your old TXT record in place won't allow you to renew the certificate.
You need to repeat the same process, including setting the new DNS record value, every time.
That's why DNS-01 is best when DNS changes can be fully automated, by munging .zone files, or through an API, or similar.
I have written a guide on how to do this with certbot
Certbot supports a range of DNS providers so you should be able to automate this if your DNS provider is supported.
Andrei
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.