One server to generate certificates and sync them to other servers


#1

Hello,

I’d like to know if it’s possible to have a “standalone” certbot server (that will contain no files) only to generate and renew my different certificates and sync them on other servers.

Thanks,


#2

Hi,

That’s completely possible, however this would need that your domain is using DNS-01 challenges (since other servers probably got the domain pointed to…and that’s probably the efficient way…) For http validation, see @mnordhoff’s response.

Just need to check with your DNS Hosting provider and see if there’s an API available to use (and most importantly, if any ACME clients support the API)…

You could validate using DNS-01 with automation, then copy(sync) those files generated to the desired server

Thank you

Thank you


#3

It’s feasible to use HTTP-01 validation, which uses a request to e.g. http://www.example.com/.well-known/acme-challenge/[random filename] if you configure your other web servers to respond appropriately, by redirecting or reverse proxying to your certificate server, or by having the certificate server copy files to them, or using NFS or something.

There’s also the question of how to deploy new certificates (and keys) to your other servers. You can write a Certbot hook to do it. The client GetSSL has a built-in feature to copy them over SSH (and to perform validation that way).


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.