Letsencrypt renewals for separate server


I’m currently hosting my website in my home servers, and using a small external server as a reverse proxy (nginx). The HTTPS with a legit cert is done at this level.

Is there any way to automatically generate just the certificate files on a dedicated certificate machine (I already set up an ubuntu 16 and did it 100% manually for the first time, cert is up and running), and from that machine push and replace the expiring certificates on the reverse proxy? I could probably come up with a script that uses ssh/scp to transfer/replace the cert/key files but I can’t figure out the letsencrypt application. It forces me to verify with files on a web server but the documentation mentions DNS validation?

I do not want any traces of letsencrypt on the reverse proxy. Nothing runs on there except nginx, firewall and ssh. I wouldn’t mind doing it manually as I have been doing for years, but with the 90 day expiration the automation process needs to actually work properly for situations where the website isn’t just on one host…


There are a couple of options:

  • Redirect all validation requests (i.e. ones that match /.well-known/acme-challenge/*) to a dedicated validation server using a HTTP 301 redirect. Certbot could run on that server in standalone mode and handle all the validation, renewal, pushing certificates, etc.
  • Use DNS-based validation with DNS-01. No support for this in certbot currently, but other clients like lego would work.


The bash script getssl was designed to do exactly this.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.