Renewal of certificates on unique servers


#1

I have SSL certificates that have been issued for a CN and SAN that have the CN and SAN domain names reversed. The CN=embleton.me.uk and SAN=embleton.me.uk & mental.me.uk which is unique on each IPv6 address but the SAN points to another host on an IPv6 address.

The mirror is on CN=mental.me.uk and SAN=mental.me.uk & embleton.me.uk The acme are on the same path and certificates too on each unique website server machine that is in a MySQL mirror. The servers are in a MySQL master to master replication for a database that is used the same for both servers. It is a phpBB that is live mirrored.

Only 1 server has an IPv4 address for I only have one of those behind a NATed connection and this can be switched around for bringing in a replacement during maintenance on the mirror which has certificates which must be mirrored but the CN name is different on each certificate apache website server. The OS is Ubuntu for both servers. And I have complete total control of the servers.

It would be a pain to alter the DNS records when certificates need renewal but during the setup process, this was done. And it would be a pain having to copy certificates between servers, I’d like the process to be automated when renewal comes around. This may not be an issue but maybe for it was first when setup initially.

Am I going to run into an issue when automatic certificate renewal occurs on each server?


#2

Hi @mae-3

this

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:mental.me.uk&lu=cert_search

looks wrong.

Today you had created two certificates:

  1. CN=mental.me.uk and SAN=embleton.me.uk, mental.me.uk

https://transparencyreport.google.com/https/certificates/ZjmoLXraSvmI8OsLJW9hXe7jYjy7JPScbNFZ8%2FoUcX4%3D

  1. CN=embleton.me.uk, SAN=embleton.me.uk, mental.me.uk

https://transparencyreport.google.com/https/certificates/l%2FAHPSkv4HmySFrh2RVgv2G77A558egtxDj61zyvpX8%3D

You need only one of these certificates. The CN-Name is shown in some situations first. But important (certificate matches domain name) is the SAN-list, there may be 50 - 100 names.

So normally you should create only one of these certificates (every 60 days) and deploy it to your mirror.


#3

That is most unusual and it would seem that Google is wrong! Only 1 certificate was issued today. It seems the configuration isn’t understood and letsencrypt may support it for I believe the renewal isn’t challenged by DNS once done the first time? The DNS AAAA records were changed today whilst I was doing the job, and not all the internet would have been able to see the two routes by IPv6 but they will soon.

An IPv6 route to mental.me.uk the common name (CN) issued today.
An IPv6 route to embleton.me.uk. the common name (CN) issued some time ago.

Thank you for taking the time in answering my question, it would seem I have to manually copy the certificate between machines and that is a pain.


#4

I don’t think that Google is wrong. Certificate Transparency is an Append-only-Protocol.

Certificate Transparency

The standard creates a system of public logs that seek to eventually record all certificates issued by publicly trusted certificate authorities, allowing efficient identification of mistakenly or maliciously issued certificates.

Your server has ordered two certificates today. Check your installation.


#5

My apology if I was wrong to issue 2 certificates hopefully that doesn’t cause an issue, sincerely. As it is I have 2 certificates that are different depending on the IPv6 route reportedly so by looking at the dates for embleton.me.uk or mental.me.uk over IPv6 only. The IPv4 route points to the 1 machine and that certificate issued some time ago. mental.me.uk is not viewable over IPv4.


#6

It is so nice to know that I should likely use symmetrical encryption for exchanging the passwords and data over ssh to distribute a private key. An encryption method using AES128 as a default breakable in likely 30 years :frowning:


#7

No, normal this shouldn’t be a problem. There are limits (5 identical certificates in 7 days), but 2 < 5 :wink:

More important: You need only one certificate. So this should reduce some problems.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.