Sharing cert between servers

Hi,

I currently have three web servers. Two on the east coast and one on the west coast. I am using DnsMadeEasy and there us always only one web server that is active. The DNS service actively polls my web servers to see if they are up. If say east-coast-1 is down it will send all traffic to east-cost-2 (so only one is active at once).

I have two certs.One is for telecurve.net and the other is for a wild cared *.telecurve.net. For telecurve.net I am using certbot 0.31.0 with a cron that runs nightly (usr/bin/certbot renew). For *.telecurve.net I am using acme.sh (I set it up a while ago).

Currently I have one server that runs these crons nightly. I never set up Let’s encrypt on the other boxes. How would I go about having it so that all three servers connect to Let’s Ecnrypt to get their latest cert? I only need one box to renew and then somehow have the cert sent to all the other boxes. I could run a script that will do a DNS lookup, see of it’s the active node and then scp the cert to all other nodes but that seems like an ugly hack. Is there any way to have all boxes grab the latest cert from Let’s Encrypt?

The boxes are running CentOS7
Webserver is apache
I have root access

Thanks in advance.

EDIT1: I was thinking perhaps instead of using certbot I can use something like acme to connect to DNSMadeEasy’s API check if there is a new cert and then if there is instead of keeping it locally pushing it to aws where all my web hosts would then grab it nightly?

This seems much more complicated than necessary. Use acme.sh and DNS validation using the DNSMadeEasy API to obtain certs on all three servers. There's no reason they all need to use the same one, and any scheme that would give you that situation would be much more complicated.

1 Like

Hi @dovid

looks like a wrong configuration. You should create one certificate with both domain names:

telecurve.net
*.telecurve.net

Then you need dns-01 validation, so use your configured acme.sh and add the main domain.

That's possible. But if you create three certificates, choose different times to avoid overlapping TXT entries.

Server 1 - 00:00 - 08:00.
Server 2 - 08:00 - 16:00.
Server 3 - 16:00 - 00:00.

Wont Let’s Encrypt issuing a new cert if it just created one. So say we have
Server 1 - 00:00 - 08:00.
Server 2 - 08:00 - 16:00.
Server 3 - 16:00 - 00:00.

Say at 00:00 it generate a new cert for Jan-01 through March 31st. Now when Server2 connects it wont generate a new cert because it just created one. How do I get the same SSL cert for all three servers?

1 Like

That's wrong, you can create max. 5 identical certificates per week.

If you don't want that: Then copy the certificate from one to the other servers.

Ok. That’s what I thought. But there is no way of “asking letsencrypt” for the same cert. There no certs saved, they are generate and handed off to me. correct?

1 Like

A certificate has a private and a public key.

The private key is on your machine, Letsencrypt doesn't know the private key.

So you have to copy both parts to another server.

The public part is downloadable via CT-logs. But that's the simpler part of the problem.

Ok. Perhaps we can dumb it down a bit. So when I look at my server I have four files:
cert1.pem - This is the cert
chain1.pem - This helps with the chain
fullchain1.pem - This helps with the chain
privkey1.pem - This is my private key

As I understood it privke1.pem is my private key that I keep locally and then cert1.pem is the cert from Let’s encrypt. When I run acme.sh what I am getting from Let’s Encrupt is cert1.pem which is not public correct? You wrote “The public part is downloadable via CT-logs. But that’s the simpler part of the problem.”. I am trying to figure out which part is public that I can have each server fetch, which files can stay the same (I assume privkey1.pem) and which file I need to push to all the others (I assume cert1.pem). Correct?

1 Like

cert1.pem is public and is the signed copy of your certificate all by itself.

chain1.pem is the chain of CA certificates (not including the root) that signed your certificate. It is also public. At the moment, Let’s Encrypt only has 1 intermediate cert, so there should only be one in there. But that’s not guaranteed to be that way forever. This file would also be the same for everyone who gets a certifcate from Let’s Encrypt.

fullchain1.pem is literally just cert1.pem and chain1.pem combined into one file (and thus, public). It’s useful for software that need them combined.

privkey1.pem is your private key. It is private and cryptographically tied to your certificate. It was generated on your server and is needed in order to use the certificate to sign/encrypt things.

What you need to push to other servers is dependent on the software running on those servers. But it will always include the private key and the certificate in some form. Since you already have to copy the private key, you might as well copy everything you need rather than trying to re-download the public things from an external source. That just adds complication where it doesn’t need to exist.

1 Like

Just to expand on this a bit.

Some software needs the cert, chain, and private key all in separate PEM files. Some need the cert and chain combined and the private key separate. Some need all 3 combined. Some need them in an entirely different format like PFX or Java Keystore which means you’d have to convert them. Reading the docs for the software that will be using your cert will generally tell you what format it needs them in.

1 Like

You have to copy the private key. That’s critical. But if you copy the private key, you can add the public part and the intermediate certificate.

The main question: How can you transfer all keys from one to another server.

So it’s possible to download the public part, but it’s not relevant.

If you create three different certificates, then every certificate has it’s own private key.

The typical usage: The private key is generated. And exists only on that server.

Thank you all for the help. I seem’d to have got it working. With the line below:
./acme.sh --issue -d ‘*.telecurve.com’ --dns dns_me --cert-file /tmp/telecurve.com/cert.pem --key-file /tmp/telecurve.com/key.pem --ca-file /tmp/telecurve.com/ca.pem --fullchain-file /tmp/telecurve.com/fullchain.pem

If the files have a newer timestamp then when I started I know they are new and to ship them to the other boxes.

1 Like

I really don’t think this is necessary, assuming the DNSMadeEasy API isn’t stupid–overlapping TXT records aren’t a problem for Let’s Encrypt, so as long as the clients manage to delete only the records they created, no problem.

Thinking a little outside the box, set up acme.sh, generate the cert (which involves registering the ACME account) on one server, then copy the ACME account credentials to the other two servers. That way, the domain will be validated only once in a 30-day window, which should pretty well eliminate concerns with overlapping DNS records.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.