We’ve a bunch of HAProxy sharing more or less the same wildcard certs, validated with a DNS challenge, our NS provider being AWS route53. The problem is how to manage those certificates, how do we renew them.
Having each server renewing its own certificates, the commons and the specific means one route53 token for each so it’ll push the required _acme-challenge itself. Easy I’ld say, one good script, one token, here you go. But well, security wise, one token for our zone for each server… maybe not. Not sure if we can tailor an AWS token for editing only _acme-challenge entries for ex.
Having one server, most likely not one of the reverse proxy but something like a specialized CI worker renewing all certificates, and pushing them somehow. Workflow’s more complicated with one more server, a bunch of script and parameters to know what’s I’m renewing to who sending how…
So I’m looking for the patterns implemented out there to deal with the same problematic, if anyone feel like sharing ?