Issuing cert for multiple servers


#1

There are several topics on this subject - too many to actually wade through. Many are 2-3 years old as well so are basically obsolete, I think as they often start out with … when dns-01 challenges become available… which, I believe are available now, no?

From what I have been able to gather about dns-01 challenges is that I will need to place a txt record in dns for each domain. I am going to assume that any server which I am running certbot on will renew the cert on that server if the dns-01 challenge is correct. Do I assume correctly?

Will this txt record be valid for one time use only? Will I have to change it for each server to obtain/renew a cert?

So, I guess what I am asking for is knowledge with the best way to proceed. To clarify my A records look like:

;; QUESTION SECTION:
;example.com.        IN    A

;; ANSWER SECTION:
example.com.    300    IN    A    198.51.100.42
example.com.    300    IN    A    203.0.113.13
example.com.    300    IN    A    192.0.2.37

(NOTE: I stole the above from someone else’s old post,)

… in a perfect world would like each of the 3 servers to install and renew it’s own cert for each domain in question. Do-able? If not, what is the recommended path to take?


#2

Yes

Any time you run a new certificate issuance (regardless of where you run it from), you’re going to have to set a new TXT record.

It is one-time-use only, yes. Once you have the certificate, the TXT record may be deleted.

Next time the certificate needs to be renewed, you will be required to set a new TX record.

“Yes”.

There is a short caching period for authorizations for the same ACME account key and DNS identifier, but it is an opaque optimization by the CA, and not something to depend upon. You must be prepared to set a new TXT record every time.

If you only have 3 servers, then you can hypothetically get each one of them to perform an independent certificate issuance, yes, and you will have 3 unique certificates, 1 per server. Mind the rate limits. To achieve this, each server’s Certbot will need to be able to update your TXT records via an API (depending on your DNS host).

Alternatively, you can have one master server generate a certificate, and then automate distribution of that certificate among the three servers. That way there is only one certificate. To achieve this, only one of your three servers needs to be able to update the TXT records, but you’ll have to manually implement the copying around of the certificate.


#3

Thanks _az … can you expand upon the quoted part? We run our own DNS so updates are done manually on the primary server and then transferred via AXFR to the slaves.
I am imagining that we will have to manually update this TXT record at certificate issuance … how would certbot be involved in this (noting your mention that each server’s Certbot would need to be able to update via API).


#4

In that case, you might use Certbot’s RFC2136 plugin to perform an nsupdate to your authoritative NS.

If you hosted your zone on Cloudflare, you’d use their actual REST API (again, via plugin) to do the job instead.

Varying definitions of “API” depending on what your options are.

In all scenarios, “manual” addition of the TXT record must be avoided. That is not a functional Let’s Encrypt workflow.


#5

Ok, I think the RFC2136 plugin is the likely answer … I will have to research it further to be certain.

Thanks again!


#6

Note that certbot defaults to creating a new private key for the renewed certificate; if you want to avoid having an automated process copying that around too, you can use the --reuse-key option.

(edit: just realized you’re probably leaning towards the other option, but meh, this is useful information anyway :stuck_out_tongue_winking_eye: )