Hi, we are about to develop our own ACME client for a bigger organization with many web servers and domains. Are there any hints/experiences to share if we want to run the client in more parallel instances? For example:
Is it better for each instrance to have its own account at Lets Encrypt? Otherwise I guess there could be a problem with nonces if they were related to an account - is it so? Or are they related to something like IP address of the client?
Could there be some trouble if the instances share the same authorization keys?
Nonces aren't ordered or tied to an ACME account (guaranteed by the spec, I think), but they tend to be tied to the IP address of the requester (in practice). They can go bad at any time (e.g. if a Boulder instance is taken down and your request goes to a different one), so you should be prepared to retry with a new nonce if you encounter a bad nonce error, as the spec instructs you to do:
When a server rejects a request because its nonce value was
unacceptable (or not present), it MUST provide HTTP status code 400
(Bad Request), and indicate the ACME error type
"urn:ietf:params:acme:error:badNonce". An error response with the
"badNonce" error type MUST include a Replay-Nonce header with a fresh
nonce. On receiving such a response, a client SHOULD retry the
request using the new nonce.
Beware of rate limits that apply on a per-account basis as well as per-IP address basis.
Integration Guide - Let's Encrypt - either choice is valid. e.g. if the end-user has access to the account key, then certainly you want to use separate accounts.