I’m currently managing SSL configurations for a hybrid cloud setup, which spans AWS and Azure. My goal is to ensure seamless certificate issuance and auto-renewal using Let's Encrypt for multiple services hosted across these cloud computing platforms. While Certbot works well for individual servers, I’m facing some challenges:
DNS-01 Validation Issues: Synchronizing DNS changes between the cloud providers sometimes results in delays, causing validation to fail.
Firewall Rules: Configuring firewalls for HTTP-01 validation in dynamically scaling environments is tricky.
Certificate Management: Coordinating auto-renewal across a distributed infrastructure is proving difficult.
Does anyone have experience tackling similar challenges? How do you ensure smooth certificate renewals in multi-cloud computing environments? Any tips for optimizing Certbot or alternative tools for this use case?
We don't have that setup by any stretch of the imagination, but something leaps out at me. For dns-01, you could delegate the _acme-challenge DNS records to a subdomain or actually any other domain you control with a limited set of DNS servers that have a very low TTL. It should be simple to make the propagation in that setup be very quick. I do know some ACME clients can run a small DNS server for this very reason, but don't ask me the details about this.
This would look like (in BIND parlance):
_acme-challenge.your.domain. IN CNAME some.other.doman.name
We do this at our site and our hosts have special credentials that can only modify records in our special ACME zone. Works great. The downside is of course setting all that up the first time is a pain, especially if you are unfamiliar with how DNS servers work. What actually happens under the hood is the ACME clients at our site end up talking to the DNS master which runs a small shell script to write out the record to our special ACME zone in BIND format and then a zone update is triggered; this propagates to our DNS servers in a matter of seconds.