How to efficiently set up certificates with several prod/staging servers per region + traffic balancer?

Hi everyone,

our site is currently running on Azure. We’re running a production server (VM) on Azure SEA and an identical copy for staging. We’re going to set up production servers for the USA very soon, which would mean we’d have at least 3 servers, which then would be managed via a traffic balancer on Azure to redirect visitor traffic to the closest server.

How would/should/could we set up our TLS certificates for this? Does every server still need to set it’s own certificate or can the certificate somehow be attached to the traffic balancer which would be accessed via a CNAME from our domain pointing to the balancer?

It seems quite complicated having to set up and renew TLS certificates for every server we might run in the future.

entirely depends on if the balancing is is transparent

aka user accesses www.whatever.com/blah and sees no redirects

or visible

aka user accesses www.whatever.com/blah and gets redirected by balancer to
www.us.whatever.com/blah

if the former you basically have 1 private key (a copy on each server) and one cert (a copy on each server)

in the latter each server needs a key/cert for its own name(s) only (and the balancer for its)

the former is effectively a set of mirrors/cdn thus if using webroot auth you just have to ensure the challenge response is synced to all members during the renewal (easy with many clients such as https://github.com/lukas2511/letsencrypt.sh )