I have multiple server (apache, nodejs, mailserver, …) sharing same certificates and i need to copy certificate files on multiple server after each renewal. I think i will dedicate a virtual machine to generate and copy certificates on all machines.
Is it a good practice ? If yes, how can i tell certbot to launch a script after each automatic renewal ?
Voici les infos demandées :
Web server : Apache/2.4.29 on Ubuntu 18.04.1 LTS
Bind server : BIND 9.9.5-3ubuntu0.2-Ubuntu on Ubuntu 14.04.1 LTS
Yes, it is. You're going to use the dns-01 challenge? Would be a good choice if you're running your own DNS server indeed. No need for HTTP challenge redirects et cetera.
See the Renewing certificates part of the certbot documentation, especially the part of --deploy-hook or its equivalent directory /etc/letsencrypt/renewal-hooks/deploy.
Also see the help text of the --deploy-hook variable in the command line options overview, it has more information about environment variables which can be used in the script(s).
NFS is unencrypted so not suitable for your private key if your network isn't secure. Personally, I would use scp / ssh to copy the cert and private key. Of course you'll also need to reload the service so it uses the new key, which might be done with perhaps the same ssh command. I'm pretty sure you might find others which already scripted solutions for this on the world wide web.