I have two local machines which host different services.
I want to use the same domain on both but with different subdomains for each app.
I'm generating the certs using the cloudflare dns challenge on caddy.
Both machines have its own caddy instance running
what would it be better, have a wildcard subdomain cert on a single server and then share the generated certs on both machines (copy files or sharing the mount point?) or each machine handle their own set of subdomain certs based on what it is running?
I'm prefer the second option because if the machine that shares the certs fails both will be out of ssl, and with each machine handling its own set both are totally independent, but I don't know whats the best practice here or if I could get to rate limits or ban my ip.
both machines will not pass of ~25 subdomains, I don't know if this a big or small quantity.
this is for a hobby perspective, to handle all my selfhosted apps.
PD: The option to use a single caddy instance and reverse proxy to the other machine is not an option because if the caddy host fails the secondary machine will not be reachable, I prefer independent machines.
I know the really basics of dns, definitely don't know what dns authentication is or how that works, I did a quick Google search but definitely don't know the details and how that works, happy to learn new things if you want to share some useful links.
Also...
I'm the owner of my domain, so I can create TXT and CNAME records on the domain dns dashboard,
OP says the certs are using Cloudflare DNS validation.
Really, either option works. If what you're doing right now works for you, I don't see a strong reason to change. Getting a single wildcard cert and sharing it between the systems is slightly more efficient, I guess, but I wouldn't see that as a strong reason to change what you're doing.
If the subdomains are different (so each machine is running totally different sites, it's not like there's a load balancer or something trying to have the same site on multiple machines), I'd just stick with each machine getting its own certificates and keep them separate. Seems simpler to me.
Doesn't sound big enough to worry about rate limits to me.
The "dns challenge" uses "DNS authentication".
Why can't you just duplicate that same solution to however many servers need certs?
[have them all run their own Caddy and obtain their own certs - even if the names overlap]
it's not like there's a load balancer or something trying to have the same site on multiple machines),
both machines will run different apps, nothing fancy like load balancer or similar.
In fact, the reason why I want to split the cert by subdomain instead of wildcard is because I'm creating an Ansible task to run containers and want to add the caddy entry to the caddyfile, but handling sub-subdomains becomes tricky with wildcards on the caddyfile and the Ansible task, plus adding the complexity to copy or link the certs between machines, having certs for every subdomain and sub-subdomains makes the Ansible task work straight forward and simpler
I already tried that
have them all run their own Caddy and obtain their own certs - even if the names overlap
That time, when the second machine generated the wildcard subdomain cert and I tried to access a subdomain on the first machine (that already generated the wildcard cert) I got some SSL error about not valid ver because the new wildcard cert generated by the second machine marked the cert generated by the first machine as expired or invalid (I can't remember)
