Is server efficient when same cert requested from multiple systems?


#1

Let’s say you duplicate the account key info to two hosts (say a pair of production web servers) - and duplicate the previously generated private key for the requested certs.

Issue LE cert renewal request on server 1 - and get the new cert.

Later - say the next day - you issue the same renewal on server 2 - which still has the old cert on it.

Does the LE/boulder server handle this efficiently - and give server 2 the same cert as it did for server 1? Or does it force a new cert to be generated on your end?

I would expect this to be a common deployment model for redundant services when you don’t necessarily want to directly mirror config between them - setting them up in parallel, but with alternating maintenance windows. I would hate to see this common situation result in waste/overhead on the CA side.

If it’s not already supported, a nice feature would be some way of telling the api and the client “allow server side renewal cache window of X days” - to where it would send back the previously generated cert if it matches the private key signature and was generated within X days.


#2

No, a new certificate will be generated. Currently the enumeration of certificates issued by the ACME server isn’t supported, so a client couldn’t look for already issued certificates even if it wanted to.


#3

@hlandau that is correct, But an client
a) could fetch the cert from the other productive server.
b) from CT-Log server
c) via serial number from LE