I have asked this particular question multiple times and get varied answers from VPS providers, Control panel Vendors etc., I would love to get the definitive answer from the LetsEncrypt community.
I have multiple servers serving the same Wordpress websites in different worldwide geographic regions. The websites are served to the clients from the nearest server dependent on their geographic location. It works very well and loading speeds are very fast as a result. Is it possible to have LetsEncrypt certificates installed on each server for each domain without creating conflicts?
One of the issues you need to tackle is the authorization challenge, as it’s not know which server will serve the request coming from Let’s Encrypt if you want to use the http-01 or tls-sni-01 challenge. Therefore, only the DNS challenge will be useful in this use case I recon.
Do you want a certificate for every server? Or distribute one single cert among the servers?
I believe the conflict exists as different certs on different servers will fail as each cert was created independently and so as each cert is challenged it will invariably fail. I honestly don’t know which is the best way to go. I don’t necessarily need a different cert on each server and one cert for all servers would be great.
I don’t mind creating multiple certs or distributing one cert among all servers. The most efficient solution for me is to get it working and avoid any potential mishaps by doing the wrong thing at the beginning.
My alternative if I wasn’t to use LetsEncrypt would be to purchase certs for each domain at $60 each, I would prefer not to go down that route just yet.
Based on your post, if you have a way to securely distribute the private key and the certificate, using DNS auth and distributing the certificate across the servers would probably be the best option for your needs. This, of course, assumes you can automate the challenge in some way.
Thats the thing, I don’t have a method to do this or the knowledge yet to set up the best way to automate the process. I’m all ears and am open to suggestions of how to accomplish this and eager to learn if anyone else has successfully done this.
It depends on how your DNS is set up. Many providers offer an API for changes to be done. You can check with your provider to see if such a feature is available. You’ll need to just set a TXT record to a specified value provided by the Let’s Encrypt servers.
That shouldn’t be a problem as I use an external DNS like Constellix or EdgeDirector. Can anyone give an example of what the setup procedure would be regards the DNS Zone/Records.
The “LE client” that you use (the officlal client is certbot, or there are various alterntives ) will communicate with Let’s Encrypt and obtain a token which is to be added to your DNS records. It will provide this token to you (either printed to the screen, or more commonly as a variable you can use in a script).
You need to add this token as a TXT record in _acme-challenge.yourdomain.com
Adding the token can easily be done using a script if you have a good API to your DNS records.
You then ask Let’s Encrypt to verify the token is there ( the “LE client” will do that) and if it’s correct it will provide you with a certificate.
So one cert issued form LetsEncrypt and one TXT record in the DNS Zone for that domain would be sufficient to cover that domain on all servers?
As it would be irrelevant which location the website is accessed from because the TXT record for that domain will always be available to verify with LetsEncrypt? Is this correct?
Correct. That’s the way I do it ( although not wordpress, but that’s irrelevant ). I obtain one cert (via script) and that same script copies it to all the servers it needs to go on, and reloads the services there. All done in a matter of seconds, automatically.
Not to bypass @serverco here, as he deserves much credit for his client, but you might also be interested in acme.sh, another bash client in the list of clients, of which I know it has many, MANY (currently 14) DNS API integrations built-in.
Thanks