Letsencrypt with Geo DNS

Hello,

I am planning a project and I will need to use Geo DNS. I understand that letsencrypt needs to verify the domain, but if I have the same domain across multiple servers and different countries I do not know if I will be able to generate certificates for each server separately. Can someone tell me if this is possible?

Thanks,
Thomas

You can get up to 5 duplicate certificates issued per week, but in my opinion that would be a waste of Let's Encrypt resources and quite an increase in load on their systems if everyone with multiple servers would just get multiple certificates. IMO it would be better to have a single, designated server handle all the certificate issuance and renewals and distribute the certificates securely (as it usually also needs the corresponding private key if it changes with every renewal) througout the server network.

I'm not aware of a software package which could handle such a system, but perhaps it exists.

3 Likes

So if I generate only one certificate on one server and then distribute it to all the other servers will work or there will be issues because the certificate was generated on a different server?

That should work. A certificate isn't bound to a certain server. The only thing that matters (generically speaking) is that the hostname in the certificate is equal to the hostname used to connect to the server and that the certificate is valid, i.e.: signed by a trusted certificate authority.

2 Likes

Ok, thank you for your help :grin:

2 Likes

Be aware that with that kind of setup, it's probably easiest to use the DNS-01 challenge to get the certificate. For HTTP-01 (which most people use), Let's Encrypt checks your server from several vantage points around the Internet, so you'd need to distribute the challenge token to all of your servers or something like that (which I'm not sure any client has an easy way to do) so that all the servers had the same content.

My setup isn't quite as complicated as yours, but I use an AWS Lambda to get the certificate (with a DNS-01 challenge) and store the private key and certificate in AWS S3. Then I have my server download them from there when a server starts up or when the certificate changes. It's all custom stuff I've written, though. I think there are some stuff out there that helps you with this out-of-the-box, but you'll probably have to do some custom integration of it regardless.

4 Likes

I see. Thanks for the example I will try out both yours and @Osiris solutions and see which one works out the best for me. Thank you for your help :slightly_smiling_face:

Thanks. If you do happen to use AWS (or some other "cloud" function platform where a Node.js example starting point would be useful), I wrote up the Lambda function I put together to put the DNS challenge in AWS Route 53, get the certificate, and store it in S3:

https://cooperjr.name/2020/08/13/acme-lambda-renewal/

Might serve as a useful starting point for you, but might not. :slight_smile:

1 Like

I appreciate it! Unfortunately, I am not going to use AWS Route 53 for DNS but I can make some changes in order to work with the API of the DNS Provider I am currently using. Also thank you for making it in Node.js as I am very familiar with it and will help me a lot with making the necessary changes in order to work properly.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.