Same domain used on 2 servers

My domain is:

I ran this command: see below - it's complicated

It produced this output:

My web server is (include version): all cases Apache

The operating system my web server runs on is (include version): all cases 18.04.1 LTS

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.11.0 (snap)

My Problem is I have domain running on 2 servers and wish to have certs for both
I used (on the Server) certbot-auto certonly --manual -d * --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 -m --server
to create the * to use on the apache server as well as the apache-tomcat server
on the server I now need to have the same cert to use on the apache server

How must I imlement the ares server - command please

1 Like

Hi @Morons

I don't understand your configuration. But if you have a certificate created (with --manual, the hard way), you can copy the certificate and re-use it with different applications.

Your has a redirect to https -, there answers your Apache, not your Tomcat.

But with a wildcard, that's not relevant. And your wildcard doesn't include the main domain, so you can't use it with that Apache.

There is already a Letsencrypt certificate - with 4 domain names -, your other domain + both www versions.

1 Like

Yes but can I copy it to another server and use it there? (Original question)

I was hoping to use a "duplicate" certificate on the second server hosting my mail mx using the same domain and get the cert automatically updated via the scripts installed by snapd

my dns looks like this.
MX 10
ares A
poseidon A
www A

I have several other sub-domains running on both servers using the zonemail domain and some is apache-tomcat endpoints therefore switching to the wildcard solution - the www.etc certificates will be depricated and removed.
so for the http, pop3, smtp, tomcat endpoints I need the same certificate on both servers
The servers is task specific and even located in different countries.

1 Like

The two servers run from completely different IPs.
There is no need to try to get both certs from one location.
I would just let each server get its' own cert.

Addresses: 2a01:7e00::f03c:91ff:fe59:a350

Addresses: 2600:3c00::f03c:91ff:fe93:9f35

Also, you only mentioned IPv4 addressed.
Be sure you understand that IPv6 addresses are being returned and LE will prefer IPv6 when present.

1 Like

those servers are only HOSTS they each run apache, apache-tomcat and some other protocols and eache have virtual hosts that run on them
Each of the virtual hosts is responding to different endpoints and protocols
like in the case of a JVM hosted by Tomcat in the case of https in the case of smtp

therefore certificate * works perfectly for most
theses services is NOT on the same physical location or device installed!

SNI (Server Name Indication) ??

1 Like

Then have each server get such a wildcard.
You can easily get up to 5 certs with the exact same set of names - without exceeding the limits.
There is NO need to "share certs" across town.

Not sure why you mentioned SNI - seems rather random...
Here is my random reply to that: So you're into crypto?

1 Like

What you say is that I can request a * certificate for each of my servers?

1 Like

Yes, if that will solve their problems.
Yes, that is exactly what I'm saying.
Provided you don't have toooo many such servers.
Some light reading: Rate Limits - Let's Encrypt - Free SSL/TLS Certificates
So, how many servers are we talking about?
[or should I just assume the title covers that - but I try so hard to never assume anything]

1 Like

Done that - the only issue was the DNS has 2 entries - is certbot intelligent enough to seek out the other one when updating? or is it not used after install ?

1 Like

You can. But if you use --manual without having a supported DNS-API, that's a terrible idea. Wildcards require dns validation.

You can create 50 certificates per domain per week. So (I don't think you have more then 50 subdomains) you can use --standalone and http validation - completely automated.

1 Like

There is no built-in intelligence for this situation.
And there is very little chance of success - even though it would seem to be a 50% chance.
Let me explain:
Because LE uses secondary validations, the likelihood of that 50/50 chance (flip a coin and land on heads), becomes multiplied several times over.
Now you have to flip a coin three times in a row and have it land on heads all three times.
That's only a 1 in 8 chance - a very much lower chance and probability very much higher for failure.

How are you using two IPs for the exact same system/information?

1 Like

A post was split to a new topic: Same domain used on 2 servers

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.