Is it wise to use Let's Encrypt certificates for a production endpoint

Help
1

Hi,

So this is the scenario:

  • Our production servers run on AWS, and we use AWS ACM certificates for load balancer HTTPS endpoint.

  • This is all fine as certificate renewal is automatic and we do not need to do anything.

  • Now, for DR purposes, we want to use GCP with a GCP load balancer.

  • However, this requires that we import our certificate to GCP.

  • This is not possible with ACM certificates.

So, one alternative is using Let's Encrypt certificate for both AWS load balancer and GCP load balancer.

Apart from the fact that we need to manually create the certificate with certbot, and renew it, does not seem like a good idea.

First of all,

  • We need to be very careful that we do not forget to renew the certificate

  • We need to maintain the machine that have the certbot and created the certificate, so we can renew it.

Considering these, do you guys have any recommendations how a third party certificate could be generated and used in a production system?

Are there any (cost-effective) reliable services I could use?

Thank you.

2

I'm not quite following your question. Why can't you use the automatically-managed ACM certificate within AWS, and an automatically-managed Google certificate within GCP?

Even if you want to use a single Let's Encrypt certificate on both environments, you should be able to run whatever deploy hook you need within whatever client you're using to automatically place it wherever you need (both Amazon and Google are very API-driven, after all).

5 Likes
3

This is the best path, IMHO.

There are a handful of ways people do this automatically. Two that come to mind are:

  1. You can use a DNS-01 Challenge to generate the LE cert anywhere, including an office machine. That machine can then be scripted to install the certificates on your various platforms, or the cloud.
  2. Some servers/balancers support cloud storage of certificates. They will read/write/detect changes from cloud storage. This allows you to handle dynamic scaling without worrying about rate limits and duplicate certificates.
5 Likes
4

Ah cool, will try that! :slight_smile:

1 Like
5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.