Multiple and different servers with the same subdomain

Hey now.
New to LE and still working out some thoughts and ideas, hoping to get a little help and guidance.

I have a domain, example.com

I have about 20 server/services all located at the same site on one (dynamic) IP and one A record subdomain. (there are a few cname subdomains pointing to that A record but these are the exception not norm)

A office.example.com
cname officevpn.example.com -> office.example.com
cname file.example.com -> office.example.com
. . . .

All the various servers/services at this location are behind NAT and accessed on specific ports. (http://office.example.com:12345)
It’s actually about 12-14 VMs (mixed Win/Linux) some of which host more than one service/web server (RMM, Inventory scanning, NMS, UniFi controller, NAS/File Server, etc.)
For completeness, there are also a handful of other services at other sites (a PBX, an offsite RSYNC target, a shared webhosting account, at e.g. Vultr, OVH, etc.)

My question is with regards to issuing LE certs across all these machines. If I understand correctly I need one cert for each server/service, as each is essentially it’s own webserver.
Correct so far?

So first question: is it appropriate to use a wildcard cert for this? (since there’s the A record and a couple of cnames, all at the same IP address/site.)
Since I need a cert for each service though, don’t I run into duplicate cert limits requesting it for each service/server?
Or is there another mechanism for this I’m not aware of yet?

I guess basically I’m asking how do I get the certs spread around various machines without manual intervention or hitting limits?

Thanks.

Hi,

You could have unlimited certificates...(as long as you are stayed within rate limit)
And those certificates aren't limited to webserver, rather hostnames (hostname must match or you'll get a privacy error)

I would suggest you use a wildcard certificate, since you have so many hostnames and all behind one IP...

You could use the same certificate across all servers. Certificates aren't bound by servers. But if you insist using one certificate per server, yes you would easily trigger rate limit.

That's all up to you.... Since you are on a internal Network, you could even mount a drive to all the servers and put the certificate on it....
For this issue we don't have a best answer for you... Since complexity and possiblity are highly dependent on your server and your skills.

Thank you

Hi @JAz

using a wildcard certificate is independend from your ip - configuration. Create a certificate *.company.com, then you can use it with all servers who have a domain name www.company.com, blog.company.com, mail.company.com

But: Creating a wildcard certificate means: You have to use dns-01 - validation, so you have to create a dns txt entry _acme-challenge.company.com with a special value. Certificates are valid 90 days, so you have to do that every 60 - 80 day.

Supports your dns-provider an api? If not, it may be painful. If yes, there are certbot-plugins to use that api. Or other clients (acme.sh) with a lot of dns-plugins.

Sorry for delay, missed notifications.

Thank you for replying @stevenzhu and @JuergenAuer but you miss the point of my question.

@JuergenAuer I'm aware what dns-01 is, my dns provider has an api, I've tested it and it works. So thanks but that has nothing to do really with my question

@stevenzhu I understand all those points. I thought I was making that clear when I wrote all that backstory in my OP. The real question and only one I'm seeking help is the last point you answered

I guess basically I’m asking how do I get the certs spread around various machines without manual intervention or hitting limits?

That’s all up to you… Since you are on a internal Network, you could even mount a drive to all the servers and put the certificate on it…
For this issue we don’t have a best answer for you… Since complexity and possiblity are highly dependent on your server and your skills.

Appreciate you replying but my question (first sentence of my OP) asked for help and guidance.
In other words, share strategies and ideas for how you and/or other people are actually doing this now

So for example you mentioned being on LAN I could put the cert on a shared drive. Ok, maybe.

Any tutorial, write-up, discussion or smth you could point to so I can see it in action, read the pros/cons, etc?

And not all the machines are on the LAN so I'm seeking a strategy that includes them as well (though ostensibly they could just be set to each get their own - but any thoughts on the matter appreciated)

Anyone that has any experience with this that can share what they are doing in similar situations? Please. Your help appreciated.

J.

Somewhat answering myself this seems relevant: Retrieving already-created wildcard cert on a different server

Still interested to hear from any doing this or similar.

Honestly, if your DNS host has a suitable API, my inclination would be to just do DNS validation at the individual hosts to get a cert for that hostname. But before I had that benefit, I had a single public-facing host that obtained certs for a number of internal hosts using HTTP validation, and then deployed them to the internal hosts using scp. That means that whatever system is obtaining the cert needs to have public-key SSH access to all the other systems, with enough privileges to write the cert/key there and reload any relevant services.

@danb35

So you had the one machine push the certs (as opposed to each pulling)?
Any example scripts/docs you can point to?

Not all targets are Linux but it's part of the struggle. Not sure about pushing from a Linux host to a Win machine (at the min. it would mean adding SCP server to Win machines which not sure it's desirable. No idea how I'd do it with built-in Win facilities)

Also, might be possible to do this inversely - Auth on a Windows host and push to Win and Linux with Powershell. I'll have to see if I can find any examples of what you suggest done in PS.

Appreciate any examples you might have. Any working points of ref will be handy some where/how.

Correct. Since that's the only machine that knows when the cert was renewed, that seemed like the simplest way to do it. But of course, you could just as easily set up a daily scheduled task on the "pull" machines to pull whatever cert was there and reload the appropriate servers.

I wrote up some examples here:
https://wiki.contribs.org/Letsencrypt#Obtaining_certificates_for_other_servers

That's in the context of a Koozali SME server, using dehydrated to get the cert, so it's using template fragments--you'd definitely need to adapt to your situation. I've also put together this to deploy a cert to a FreeNAS box:

...but I'm not sure how useful it'd be for any other application.

Share a directory on the Windows box, and set something to monitor it for changes? Just a thought.

Thanks @danb35.

The Dehydrated stuff in particular is helpful.

I’ve already deployed acme.sh on a Synology NAS locally and may try to figure out how to duplicate the functionality with acme.sh (if even possible) as that is probably the most sensible box for me to put at the center of this.

Else maybe I’ll stand up a vps at vultr or co-opt an existing one for this function.

Wrt to the last point about windows - I was actually wondering about the inverse - pushing from Linux to Windows using in-built facility. But it was a bit rhetorical as I’m pretty sure there’s not a way to do it.
So either end up with my NAS or Vultr VPS at teh center of the linux cert distribution and another Win box at teh center of Win boxen distribution OR find/dev powershell to start on Windows and distrib to all. blech. Not my strong suit.

One last question for you - in this schema did you pull one cert/hostname for each host, one cert with multiple SAN or a wildcard cert?
Just curious and, if there was a strong reason for your choice, why.

Thanks Dan. Big help.

Yes. I couldn't do wildcards as they (1) weren't available initially, and (2) when they became available, they required DNS validation which my DNS host at the time didn't support. And if I was deploying individual certs to each host anyway, I figured I might as well make them unique to that host.

I've since moved to a DNS host that does have a supported API, and since then started using acme-dns, so now I'm obtaining certs on each individual host using DNS validation.

Awesome @danb35. Thank you!

For the next soul coming through here, TIL as of Synology DSM 6.1 (maybe even 6.0) the shell is no longer ASH on Busybox but a (supposedly proper) BASH shell.

There is no true apt-get (there is a more limited dpkg) so not all deb pkgs are avail but it’s a step closer and may mean I can run dehydrated and the above scripts on it.

hth someone someday.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.