We have a pair of ubuntu servers running as a HA mail server, running surgemail. I’ve got the primary server set up successfully with certificates for each of the hosted domains, and set up a cronjob to renew them.
I can of course copy the certificates manually from primary to secondary server, and with a little work can script that copy.
But I wanted to know if it’s possible to just run “certbot renew” on the secondary server (with certbot installed of course, and the entire /etc/letsencrypt folder replicated from primary to secondary) or will that cause problems?
If you’ve copied everything from /etc/letsencrypt, including the symbolic links, it should be possible to run certbot renew on the other server as well.
Please be aware of rate limits: if you’re renewing on two different machines, you’ll be generating certificates twice as fast as you otherwise would. (If you only have this single certificate, you should still not encounter any rate limits in this setup.)
Thanks, that’s what I’d hoped. I’ve got 17 certs on that server, hopefully that won’t exceed rate limits running the renewal every 24 hrs via cronjob on both machines.
It could, if the certs cover some of the same domain names. If sufficiently many of the certificates that relate to a particular registered domain (like subdomains of example.com) happen to renew during the same 7-day period so that a total of 20 certificates related to that domain have been issued during that period, you'll be rate limited under the certificates per registered domain limit.
If they relate to different registered domains or not many of them will renew during the same 7-day period, this issue won't arise.
OK, thanks. They are each for mail.domain.tld, only one for each domain. So I’d have it requesting renewal for the exact same 17 FQDNs once for each server, but not multiple-subdomain.