Renewing wildcard domain with subdomains on multiple servers


#1

I’ve got several dozen servers, each hosting a subdomain of mydomain.com. I’ve created a wildcard certificate for *.mydomain.com which runs fine on the server I created it on (using certbot) and I copied the relevant files from /etc/letsencrypt over to one of my other servers. It works fine there too.

I’m concerned, though, about what will happen when it’s time to renew the certificate. If I have a cron job running “certbot-auto renew” on both servers for the same wildcard domain, will the right thing happen, i.e. will the certificate get renewed on both servers without any intervention on my part?

I copied over mydomain.conf from /etc/letsencrypt/renewal on the server I created the certificate on to one of my other servers. Was that the right thing to do?

The alternative seems to be to run certbot on each of my several dozen servers and validate that I own the domain on each one. That’s pretty cumbersome.

Thanks!


#2

if they’re all on the same network, you can mount the LE directory as read-only via NFS (or similar) and then just restart servers every few days to pick up the change.

If they’re not on the same network, a typical low effort way to automate syncing the files is with rsync or scp. some people put in more effort to actively distribute them using ansible, puppet, etc. the larger efforts to handle this generally involve writing services and servers to provision certificates (ie, all the servers check the provisioning authority daily for a new cert, then update/restart as needed)


#3

If each system can independently renew the wildcard cert, then it might be an answer that works for you.
You would have to read through the rate usage limits thou as each system would be counted towards those limits.

There are many varied ways to “skin that cat” and as long as it works you it is a valid method.


#4

This advice should be correct as far as functionality goes, but for copying a private encryption key, it would be a good idea to use a more secure network protocol than just classic NFS, so that other devices with access to the network can’t extract that private key.


#5

True - I didn’t think about systems that weren’t firewalled away. NFS over SSH or some of the secure-by-design options are definitely better.


#6

Even some systems that are behind firewalls might be using compromised routers or network switches. :frowning:


#7

Ok, so I can securely copy the certificate files to my other servers. What would happen if I ran “certbot-auto renew” on my servers? Would “the right thing” happen? Would all of the servers get the same new certificate files? Or, does that not work?


#8

I think yes, but maybe not your exact definition of right.

Each run is unique and thus each cert would be unique.
They would all cover the same names but may have different expiration dates (depending on when they ran) and certainly different thumbprints.


#9

Renewing separately on each server may also risk running up against Let’s Encrypt’s rate limits. Apart from that, it can succeed as long as you make sure to copy the symlink structure onto each server.


#10

Is there a way to test the renewal behavior for wildcard certificates? I don’t want to find out in 90 days that my automatic renewal didn’t work. Thanks.


#11

You could try it with –force-renewal
But be careful not to add that into the script.
Or –dry-run


#12

Thanks, everybody, for your help. My conclusion is that I either need to generate the certificate on one machine and replicate it to all the other machines via some secure copy mechanism OR run certbot-auto on each machine to generate unique certificates. Creating the certificate on one machine, copying it to another, and then expecting the other machine (that didn’t initially create it) to be able to renew it fails miserably.


Processing /etc/letsencrypt/renewal/mydomain.conf

Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,)
Attempting to renew cert (mydomain.com) from /etc/letsencrypt/renewal/mydomain.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(‘An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.’,). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)


Our DNS is handled by dnsmadeeasy.com. I notice that there is a plugin for certbot to access the API for that service. That should facilitate generating certificates.


#13

You’d need to copy the renewal configuration from /etc/letsencrypt for that to work, and most-likely the account info too. If copying/syncing the entire /etc/letsencrypt directory is an option for you, that usually works – though you’ll need to install any plugins/etc on the other machines as well.


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.