I’m in the process of installing a server with let’s Encrypt certificates with certbot client.
On test server, I managed to make certioficate to run successfully.
Now, I’m wondering some questions, and cannot really do some tests because I’m afraid of blocking my access due to number rate of certificates, etc…
1st and main question:
On my virtual servers (prod ad test), I’m writing a script so ALL server can be fully installed with it, so in case of super crash, I just have to create new VM (same IP) and run the script.
So, I’m wondering about certbot: how can I re-install certificates, which have previously be done on other server ? I’m afraid if I just run certbot certonly --webroot […], it will tell me certificates have already been created on other server, OR it will create new instances of certificates, instead of retrieving existing ones, and I don’t want to have rate limit issue, etc…
What do I need exactly to get my certificates back, and ready to be setup in my web server ? Of course, I do not want to have pem files only, because I want renew feature to work, as it was on original server…
The answer to this question should take in consideration I have access to working server right now, so I can backup required files to achieve this the day problem occurs.
2: my server is working with Debian Jessie, so I got certbot from backport.
It’s running fine, but certbot version is 0.9.3, and it appears because of this, some newly created features from documentation, are missing: example: “certbot certificates” does not work.
Without upgrading certbot (I would like to stick with apt-get official tested packages), how can I retrieve list of certificates certbot installed on server ?
3: My prod & test servers are sharing same domain. Only subdomains change from one to the others).
In order for everything to work on test & prod server, would you advice me to:
- Have a different certificate for each machine so I can renew certificates on all ?
- Share same certificate ? I don’t think that would be a good idea: renew would be difficult if I want this to be automated
Do you think it’s possible to use same certbot command line on ALL servers (prod & tests), and have different certificates installed, knowing they manage different subdomains ?
For example: certbot […] --allow-subset-of-names -d prod.domain -d test.domain -d test2.domain
Theorically, because of allow-subset-of-names, only working domains on current machine should be ok, so it ‘should’ work. Am I right ? If so, how will be named the certificate (0.9.3 version do not have cert-name option): first domain in command line, or first WORKING domain in command line ?
Thanks for your help !!