One TLD, one certificate, two servers

Hello,

I am running a private server that uses a LE cert and everything's working fine. Now I want to split that server into two servers for better performance. The services they will provide will be distinguished by the ports that the servers are connected to.

Viewing from the outside, it will simply be "my.tld.org" for all services.

In this case: can I just copy the LE cert from server A to server B and configure the web server engine appropriately?

Updating the certificate is done by cron right know, so both servers should be able to update their versions of the cert independently, shouldn't they?

If this is not as simple as I imagine: what would be the right way to do what I like?

1 Like

If I understand correctly, this should be a slam dunk. Just copy the certs from A to B, and let the load balancer do its thing. I think only server A needs to do updates, and the certs could then be copied to B. Am I missing something ? So far as I can discern, you only need one certificate pair. The "key" sentence to me is the one about the "outside view" of your site. The gurus on here may have a different opinion, but it looks like you can just try it faster than awaiting responses on here.

2 Likes

Well, it can be as simple as you imagine I think. There are basically two possibilities:

  1. Keep having server A renew certificates, and have it run some script on renewal (like with certbot's --deploy-hook) to securely copy the new private key and certificate to server B.
  2. Have server A and server B independently get their own separate certificates.

In either case, you need to be careful to ensure that the server(s) getting a certificate can fulfill the right challenge. I usually think the DNS-01 challenge is easiest for anything even semi-complicated, though it's a lot easier if your DNS has an API that you can just use. (If it doesn't, look at delegating the challenge record to something like acme-dns which is scriptable.) You can make HTTP-01 or TLS-ALPN-01 work as well, it just requires care on your load balancer (or whatever it is you have listening on 80/443) to ensure that the challenge is being handled by the system currently requesting a certificate.

5 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.