I currently have three web servers. Two on the east coast and one on the west coast. I am using DnsMadeEasy and there us always only one web server that is active. The DNS service actively polls my web servers to see if they are up. If say east-coast-1 is down it will send all traffic to east-cost-2 (so only one is active at once).
I have two certs.One is for telecurve.net and the other is for a wild cared *.telecurve.net. For telecurve.net I am using certbot 0.31.0 with a cron that runs nightly (usr/bin/certbot renew). For *.telecurve.net I am using acme.sh (I set it up a while ago).
Currently I have one server that runs these crons nightly. I never set up Let’s encrypt on the other boxes. How would I go about having it so that all three servers connect to Let’s Ecnrypt to get their latest cert? I only need one box to renew and then somehow have the cert sent to all the other boxes. I could run a script that will do a DNS lookup, see of it’s the active node and then scp the cert to all other nodes but that seems like an ugly hack. Is there any way to have all boxes grab the latest cert from Let’s Encrypt?
The boxes are running CentOS7
Webserver is apache
I have root access
Thanks in advance.
EDIT1: I was thinking perhaps instead of using certbot I can use something like acme to connect to DNSMadeEasy’s API check if there is a new cert and then if there is instead of keeping it locally pushing it to aws where all my web hosts would then grab it nightly?
This seems much more complicated than necessary. Use acme.sh and DNS validation using the DNSMadeEasy API to obtain certs on all three servers. There's no reason they all need to use the same one, and any scheme that would give you that situation would be much more complicated.
Wont Let’s Encrypt issuing a new cert if it just created one. So say we have
Server 1 - 00:00 - 08:00.
Server 2 - 08:00 - 16:00.
Server 3 - 16:00 - 00:00.
Say at 00:00 it generate a new cert for Jan-01 through March 31st. Now when Server2 connects it wont generate a new cert because it just created one. How do I get the same SSL cert for all three servers?
Ok. Perhaps we can dumb it down a bit. So when I look at my server I have four files:
cert1.pem - This is the cert
chain1.pem - This helps with the chain
fullchain1.pem - This helps with the chain
privkey1.pem - This is my private key
As I understood it privke1.pem is my private key that I keep locally and then cert1.pem is the cert from Let’s encrypt. When I run acme.sh what I am getting from Let’s Encrupt is cert1.pem which is not public correct? You wrote “The public part is downloadable via CT-logs. But that’s the simpler part of the problem.”. I am trying to figure out which part is public that I can have each server fetch, which files can stay the same (I assume privkey1.pem) and which file I need to push to all the others (I assume cert1.pem). Correct?
cert1.pem is public and is the signed copy of your certificate all by itself.
chain1.pem is the chain of CA certificates (not including the root) that signed your certificate. It is also public. At the moment, Let’s Encrypt only has 1 intermediate cert, so there should only be one in there. But that’s not guaranteed to be that way forever. This file would also be the same for everyone who gets a certifcate from Let’s Encrypt.
fullchain1.pem is literally just cert1.pem and chain1.pem combined into one file (and thus, public). It’s useful for software that need them combined.
privkey1.pem is your private key. It is private and cryptographically tied to your certificate. It was generated on your server and is needed in order to use the certificate to sign/encrypt things.
What you need to push to other servers is dependent on the software running on those servers. But it will always include the private key and the certificate in some form. Since you already have to copy the private key, you might as well copy everything you need rather than trying to re-download the public things from an external source. That just adds complication where it doesn’t need to exist.
Some software needs the cert, chain, and private key all in separate PEM files. Some need the cert and chain combined and the private key separate. Some need all 3 combined. Some need them in an entirely different format like PFX or Java Keystore which means you’d have to convert them. Reading the docs for the software that will be using your cert will generally tell you what format it needs them in.
Thank you all for the help. I seem’d to have got it working. With the line below:
./acme.sh --issue -d ‘*.telecurve.com’ --dns dns_me --cert-file /tmp/telecurve.com/cert.pem --key-file /tmp/telecurve.com/key.pem --ca-file /tmp/telecurve.com/ca.pem --fullchain-file /tmp/telecurve.com/fullchain.pem
If the files have a newer timestamp then when I started I know they are new and to ship them to the other boxes.
I really don’t think this is necessary, assuming the DNSMadeEasy API isn’t stupid–overlapping TXT records aren’t a problem for Let’s Encrypt, so as long as the clients manage to delete only the records they created, no problem.
Thinking a little outside the box, set up acme.sh, generate the cert (which involves registering the ACME account) on one server, then copy the ACME account credentials to the other two servers. That way, the domain will be validated only once in a 30-day window, which should pretty well eliminate concerns with overlapping DNS records.