Our websites and DNS are served by multiple sets of geographically diverse servers. What we are wondering is the best way of achieving automated registration and renewal.
One critical factor is that in this high-availability system failure of a DNS server or webserver should not cause disruption to certificate issue/renewal.
In essence we have:
2 DNS servers serving the same domains as authorities.
2 webservers serving the same website.
As I understand it the issue with automated issue/renewal is that modifications need to be made to the webroot or the DNS.
The problem is that when making a change that change would obviously need to be made to both locations prior to letting the challenge occur - as it is not possible to determine which server the challenge with arrive at.
The DNS are not on the same machines as the webservers. Loss of any machine must not affect operations.
Is there any advice for the best way forward in such high availability scenarios?
How can we get automated issue/renewal? Or is the answer a lot of scripting/unison/scp?