How should we manage same certs on multiple servers

rgarrigue · February 7, 2019, 8:23am

Hi

We’ve a bunch of HAProxy sharing more or less the same wildcard certs, validated with a DNS challenge, our NS provider being AWS route53. The problem is how to manage those certificates, how do we renew them.

Having each server renewing its own certificates, the commons and the specific means one route53 token for each so it’ll push the required _acme-challenge itself. Easy I’ld say, one good script, one token, here you go. But well, security wise, one token for our zone for each server… maybe not. Not sure if we can tailor an AWS token for editing only _acme-challenge entries for ex.
Having one server, most likely not one of the reverse proxy but something like a specialized CI worker renewing all certificates, and pushing them somehow. Workflow’s more complicated with one more server, a bunch of script and parameters to know what’s I’m renewing to who sending how…

So I’m looking for the patterns implemented out there to deal with the same problematic, if anyone feel like sharing ?

Best regards,

_az · February 7, 2019, 8:39am

When I’ve done it, it’s been:

One ACME client responsible for issuing and renewing the certificate
Certificate private key pre-distributed to each node (i.e. it never changes)
On renewal, the ACME client pushes the renewed certificate to S3 bucket
On consumers, daily cron task to pull the certificate from S3 and graceful reload haproxy

This was convenient because each node already had common access to an S3 bucket, but obviously you can choose whatever tech variations you want.

I’ve also experimented with using serverless frameworks to issue and renew certificates (and then push to bucket) for reliable execution and no SPOF, and it allows you to give IAM role to update DNS zone only to the e.g. serverless task, instead of your server(s).

rgarrigue · February 7, 2019, 9:33am

Hey _az

Thanks for the feedback! You’re using --reuse-key to keep the private key static I guess ?

_az · February 7, 2019, 9:46am

I use a different client (acmetool) in that environment, but yes, --reuse-key would be the right thing to do with Certbot.

mnordhoff · February 7, 2019, 10:26am

Not directly. Route 53 doesn't offer permissions more granular than "write any records in this hosted zone".

You could configure it indirectly by using multiple hosted zones (if you're willing to pay Amazon an additional $0.50 or $0.25 per month). Some ACME clients might have difficulty with more complicated setups.

rgarrigue · February 7, 2019, 10:41am

Thanks for the precision, save me the time to check this point

rg305 · February 7, 2019, 9:42pm

If all else fails, can you just replicate the process to each server?
That is, each server would have, and maintain, its’ own cert(s).
I think LE limits on same named certs are 5/week.
So even 20 servers can renew in less than 1 month.

system · March 9, 2019, 9:43pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.