I want to use LE to generate x509 certs for a semi-large fleet of systems. With that said, considering the max limit restrictions and issuing the form to lift these restrictions, I need to tie the private key to the account to all systems (obviously not ideal to replicate the private key but this is the only option I have). I plan on doing this by using a cfg mgt solution and place any sensitive data, such as the private key, in a vault so it can be distributed to all systems that require it. Thus, my ask to the community is as follows:
There are various paths to the information in question on my primary system already having the main account. These are the paths within “/etc/letsencrypt/”: accounts archive csr keys live renewal renewal-hooks. With the “accounts” path, I have both “acme-staging-v02.api.letsencrypt.org” and “acme-v02.api.letsencrypt.org”. Within “acme-v02.api.letsencrypt.org”, I the unique directory name, which then contains the following: meta.json private_key.json regr.json. The full path containing these three files is as follows: “/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/some random number”. With that said, do I simply deploy “/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/some random number” and the files at “meta.json private_key.json regr.json” on all systems in order to use across the entire fleet?
Considering I do not need to register a new account, do I have to add an additional parameter within my certbot command syntax, or is certbot smart enough to check to see if an account is already registered?
I’d appreciate any feedback the community has on this topic.