Hi. I’m trying to set up TLS security on my domains and have some questions about the logistics. My special case is that I’m using multiple A-records (and AAAA) to achieve a poor man’s high-domain-availability. (My sites don’t generate enough traffic to be concerned with load balancing.) Since I have multiple copies of the sites outstanding, I used the “certonly --manual --preferred-challenges http” options to create a cert, creating and pushing the required authentication files to the field at the appropriate times. This worked fine, and I then ported the domain folder from /etc/letsencrypt/archive to the other servers, stitched it into their /etc/letsencrypt hierarchy, created the symlinks in /live/ and modified apache appropriately. And, it works, but I wonder if there is a better way to do this.
The server I used to create the cert recognizes it (certbot-auto certificates), but of course the others do not. From what I gather, this means the cert will automagically renew on that server, but I’ll be responsible for disseminating the renewed bits to the other boxes when it does renew.
Is there an easier way? Could I perhaps create duplicate certs on each box that would in turn each automatically renew? Should I even be using the /etc/letsencrypt hierarchy on the “other” boxes or should I just create my own repository on them somewhere to hold the ported certs?
Enough questions for now. I’m new at this, having experimented with one domain to date, and I’m hoping to find the best approach to using LetsEncrypt in my environment before I start generating certs in earnest.
Thanks in advance for any guidance you can provide