This is a general question, and hypothetical right now, so I don’t have a specific domain or command that I have tried.
If I have a webserver that listens on port 80/443, and I have a router that listens on 8443 and both of them have the capability to run an acme client for LetsEncrypt, is it possible to get a certificate for the same domain on both, or will making the request on a second machine cause the first certificate to be revoked (or something like that).
I ask in this way because I have seen other posts where the challenge was distributing the http-1 challenge, or something to that end. I think because in my scenario I have separate ports, I avoid this issue.
Your router won’t able to get cert by acme by http-01, as it need to be listen on port 80. But you can share already auquired certificate between devices.(its just pem files)
I’m not sure which challenge it uses, but the router is able to get a cert through acme somehow. I am just curious whether doing so would interfere with the cert on the other server.
I have shared certs in the way you describe on my previous router, and that is definitely an option, albeit a fallback one, because it involves storing the certificates on a share, which is less secure than getting them through acme.
In general, it is possible to have more than one valid certificate for the same domain.
To get the certificate for the device with port 80 open is a trivial job. For the other device, it is important that the http-01 challenge to be put into the appropriate location. At the time of issuing the certificate for that device, the other server must do a HTTP redirect from port 80 to 8443.
There are other variations, for example using the first device to generate the certificate for the second device.
edit: all these methods do not require copying secrets. They are safe, even if all data transfers on your network are eavesdropped.
Thanks. I did not know that the boulder do not accept redirection to other port than 443. I guess it must be HTTPS and not HTTP. Is there a document about what is permitted (or should I read the definite document, the implementation code itself) ?
I don't think there is. I'm open to the idea generally but I'm not sure what the best place is for something at this level of detail.
We apply a handful of restrictions on HTTP-01 challenge redirects. The target can't be a bare IP address, and it must use the http or https protocol scheme. If explicitly specified the port must match the protocol default (port 80 or 443) respectively. We follow up to 10 redirects. If you wanted to read the implementation the most relevant function is probably extractRequestTarget in va/http.go.