Single Certificate for multiple hosts


#1

My domain is: msazure.developatribe.com
My web server is (include version): app = Mattermost
The operating system my web server runs on is (include version): Ubuntu 18.04
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.28.0

I have 2 servers load balanced for my application. I have Certbot certificates successfully installed and tested on 1 server. I would like to have the same certificate installed on the other server as well. I am not sure on the best practice to achieve this. Any ideas welcome. Thanks.


#2

Hi @johnthompson365

is it possible that you copy the certificate from server 1 to server 2 and install it?

That would be the best solution.


#3

Thanks for the response Juergen.

I assume you suggest I go through the process of copying the .pem files and running update-ca-certificates?

So there is no method to re-run Certbot for the same domain on a different server?


#4

How are they load-balanced? This would inform the strategy for how to coordinate certificate renewal across them.


#5

Thanks for the reply.

I have an Azure Basic Load Balancer just passing the traffic back to the hosts where the SSL is terminated. No off-loading or bridging.


#6

It sounds like Certbot could not reliably perform renewal unless the renewal host was able to write the challenge response file to both servers, right? Since the validation request from Let’s Encrypt’s validation service has a 50% chance of arriving at either server.

If one server has to deploy files to the other (for the challenge response part), then you could also leverage that access to copy the certificate and private file over (e.g. using a hook in /etc/letsencrypt/renewal-hooks/deploy) and then reload the webserver in both locations.

(So you’d only run Certbot on one “master” server).

One alternate strategy can also be to use DNS validation, and run Certbot in both locations. Yes, you’d have duplicate certificates, but with only 2 servers, it’s unlikely to be a problem.


#7

Hi _az,

Sorry for slow reply but first chance to get back to the problem in hand.

I am new to LetsEncrypt so think the DNS validation looks the simplest option at present. So I assume I could just run the sudo certbot certonly --standalone -d msazure.developatribe.com and it would install another certificate?

Thanks.


#8

DNS validation requires interacting with your DNS hosting (GoDaddy).

Certbot can’t do this out of the box, but other clients like acme.sh can, e.g.: https://github.com/Neilpang/acme.sh/tree/master/dnsapi#4-use-godaddycom-domain-api-to-automatically-issue-cert

--standalone necessarily uses HTTP validation, which is complicated by your loadbalancer scenario.


#9

Also “certonly” would only get a cert; it would not “install” it anywhere.
The installation part can be done manually and should be no real cause for concern.
[just making that point clear so if you do ever get a cert that way you understand the outcome better]


#10

Thanks for the info.

So am I able to use the 4.pen files I already have to manually copy to the other server?
I assume the chain.pem requires converting and installing as the public CA?
And the cert.pem and private.pem (?) Are converted and saved as per

sudo cp server.crt /etc/ssl/certs
sudo cp server.key /etc/ssl/private


#11

There’s only two PEMs that matter:

  • privkey.pem - Your certificate’s private key
  • fullchain.pem - Your certificate (plus the intermediate).

These map directly to SSLCertificateKeyFile + SSLCertificateFile and ssl_certificate_key + ssl_certificate in Apache and nginx, respectively.

No need to mess about with local CAs or anything like that.

And yes, you can just copy those two files between servers.