My web server is (include version): all cases Apache
The operating system my web server runs on is (include version): all cases 18.04.1 LTS
My hosting provider, if applicable, is: Linode
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.11.0 (snap)
My Problem is I have zonemail.co.za domain running on 2 servers and wish to have certs for both
I used (on the poseidon.zonemail.co.za Server) certbot-auto certonly --manual -d *.zonemail.co.za --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 -m bester.jpb@gmail.com --server https://acme-v02.api.letsencrypt.org/directory
to create the *.zonemail.co.za to use on the apache server as well as the apache-tomcat server
on the ares.zonemail.co.za server I now need to have the same cert to use on the apache server
How must I imlement the ares server - command please
I don't understand your configuration. But if you have a certificate created (with --manual, the hard way), you can copy the certificate and re-use it with different applications.
Your http://zonemail.co.za/.well-known/acme-challenge/1234 has a redirect to https - https://zonemail.co.za/.well-known/acme-challenge/1234, there answers your Apache, not your Tomcat.
But with a wildcard, that's not relevant. And your wildcard doesn't include the main domain, so you can't use it with that Apache.
There is already a Letsencrypt certificate - with 4 domain names - zone.co.za, your other domain + both www versions.
Yes but can I copy it to another server and use it there? (Original question)
I was hoping to use a "duplicate" certificate on the second server hosting my mail mx using the same domain and get the cert automatically updated via the scripts installed by snapd
my dns looks like this.
MX 10 ares.zonemail.co.za.
ares A 176.58.119.143
poseidon A 173.255.192.16
www A 173.255.192.16
I have several other sub-domains running on both servers using the zonemail domain and some is apache-tomcat endpoints therefore switching to the wildcard solution - the www.etc certificates will be depricated and removed.
so for the http, pop3, smtp, tomcat endpoints I need the same certificate on both servers
The servers is task specific and even located in different countries.
The two servers run from completely different IPs.
There is no need to try to get both certs from one location.
I would just let each server get its' own cert.
those servers are only HOSTS they each run apache, apache-tomcat and some other protocols and eache have virtual hosts that run on them
Each of the virtual hosts is responding to different endpoints and protocols
like
xyz.zonemail.co.za:8443 in the case of a JVM hosted by Tomcat
abc.zonemail.co.za:844 in the case of https
bnh.zonemail.co.za:587 in the case of smtp
therefore certificate *.zonemail.co.za works perfectly for most
HOWEVER
theses services is NOT on the same physical location or device installed!
Then have each server get such a wildcard.
You can easily get up to 5 certs with the exact same set of names - without exceeding the limits.
There is NO need to "share certs" across town.
Not sure why you mentioned SNI - seems rather random...
Here is my random reply to that: So you're into crypto?
Yes, if that will solve their problems.
Yes, that is exactly what I'm saying.
Provided you don't have toooo many such servers.
Some light reading: Rate Limits - Let's Encrypt - Free SSL/TLS Certificates
So, how many servers are we talking about?
[or should I just assume the title covers that - but I try so hard to never assume anything]
Done that - the only issue was the DNS has 2 entries - is certbot intelligent enough to seek out the other one when updating? or is it not used after install ?
You can. But if you use --manual without having a supported DNS-API, that's a terrible idea. Wildcards require dns validation.
You can create 50 certificates per domain per week. So (I don't think you have more then 50 subdomains) you can use --standalone and http validation - completely automated.
There is no built-in intelligence for this situation.
And there is very little chance of success - even though it would seem to be a 50% chance.
Let me explain:
Because LE uses secondary validations, the likelihood of that 50/50 chance (flip a coin and land on heads), becomes multiplied several times over.
Now you have to flip a coin three times in a row and have it land on heads all three times.
That's only a 1 in 8 chance - a very much lower chance and probability very much higher for failure.
How are you using two IPs for the exact same system/information?