Internal Management of Certificates


#1

I’ve put this in help, however Let’s Encrypt is working fine :slight_smile:

My challenge is ensuring all the various servers on my Wild card cert get new certificates when I renew the certificate. I wondered if there is a best practice mechanism for doing this or if it is simply a matter of FTPing things around. That feels risky and a bit hit and miss so I feel there should be something however without an idea internet searches don’t seem to help.

Any ideas I can follow up?


#2

If you want to keep those servers up to date with one single certificate, you could use ftp or rsync or any other tools of your choice. You could simply use a script to copy the certificate and key around when the renewal successes.

So basically, it’s just copying certificate around.
(Maybe you could use a script to monitoing your website certificate and get alert when the transfer / renewal failed?)

Thank you


#3

And you can avoid copying the key around by using --reuse-key, which reduces the “risky” aspect significantly.


#4

What @_az said is good advice if you’re using Certbot. Looking at your older threads I believe you’re using acme.sh (?) - if so, note that its default behaviour is the same as what certbot’s --reuse-key option does: it doesn’t generate a new key when you renew. So in either case, on renewal you just need to copy the (public) certificate, not the private key.


#5

Unless you use secure FTP, then FTP is a bad ideal to use (when copying the private key).
Reusing the private key makes a very big difference.
In that case, all that is being copied is already destined to be publicly available anyway.
And that can be done in any possible way, even using HTTP via curl or wget (for the public cert file).


closed #6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.