Updating SSL on multiple servers

Hi All,

I am having 20+ servers using the same SSL for a single domain name. Since the SSL is going to expire I want to find some easy way to renew them without much hassle.

As per the standard process, if I renew the SSL I believe the SSL certificate will change and I have to log in to all 20+ servers and deploy them one by one. Which are more time consuming and this process needs to be followed once every 90 days.

I am looking for all other alternate possibilities to get this work done easier.

Is there a way we can just increase the SSL expiry date without changing the Private Key and Certificate content?

Also, I cannot do the file verification method because files will be available only on one server and not on all other servers. So have to do it via the DNS method. Is there an alternate solution for this too?

2 Likes

You can renew using the same private key, but because the expiry date is encoded in the certificate itself you need to install the renewed certificate like a new one - there's no way around that. You also cannot adjust the 90 day lifetime issued by Let's Encrypt.

You should probably start thinking about how to automate the workflow - do you maybe already have a (secure) method to transfer files between the different servers? Maybe you could use something like that to automatically distribute (and install) the new certificate.

For obtaining the certificate you should also look into ways to automate this - maybe by automating the DNS challenge, or by making the HTTP-01 challenge work. There is no other validation method ("challenge"), except for the TLS-ALPN-01 challenge, but that works pretty similar to HTTP-01 and likely doesn't help you either.

5 Likes

Thanks for the reply. Just wanted to know when I am renewing the certificate on one of the server. Will it make the old certificate on the other server stop working?

Because I can do on one can migrate to other manually and then have to figure out the automation.

2 Likes

You can try scripting the process to distribute the certificate to all the servers. (works for me)
I'll use myself as an example since I don't know you're exact configuration.

  1. Certbot (or whatever client you are using) snags the cert.
  2. Post "hook" (SCRIPT)... SCP the certs to each server that need it.

It is easy and painless (mostly) once you have it set up.

You can automate it within the certbot (or acme) process. Or CRON if it has to be done that way.

Every time you renew, the "post hook" copies the files "auto-magically" to the other servers in need.
Does that make sense?

Now... my process uses a ssh (internal) certificate to access the servers without intervention but it works every time and I have been monitoring my stuff for (hate to admit it) for over 15 years.

Only when I get nervous about an expiring cert do I intervene.
Usually I don't have to do anything.

Think about this option. You are talking about a bunch of sub-domains here.
That was my issue and this is how I solved it.

5 Likes

I typically proxy all traffic to /.well-known/acme-challenge/ onto a single node that actually runs the LetsEncrypt client. You can also 301 redirect all the traffic to a single hostname/node too.

There are a lot of ways people handle this, a very small listing includes:

6 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.