My doubt is about the client side:
Should I copy the master certificates on slave server? And only use these (master certificates) on slave for secure connection?
In this scenario I should automate the copy of the certificates to the slave server, (considering
that they expire every three months…).
Do you recommend using Letsencrypt certificates for this operation?
An internal CA is a better fit for this. It’s both easier to deploy and more secure because you don’t have to trust a third-party at all.
I’ve used easy-rsa for this in the past and it’s worked fairly well. If you’re familiar with OpenSSL’s command-line interface, you could go the manual route as well.