Using LetsEncrypt with multiple A-record domains


#1

Hi. I’m trying to set up TLS security on my domains and have some questions about the logistics. My special case is that I’m using multiple A-records (and AAAA) to achieve a poor man’s high-domain-availability. (My sites don’t generate enough traffic to be concerned with load balancing.) Since I have multiple copies of the sites outstanding, I used the “certonly --manual --preferred-challenges http” options to create a cert, creating and pushing the required authentication files to the field at the appropriate times. This worked fine, and I then ported the domain folder from /etc/letsencrypt/archive to the other servers, stitched it into their /etc/letsencrypt hierarchy, created the symlinks in /live/ and modified apache appropriately. And, it works, but I wonder if there is a better way to do this.

The server I used to create the cert recognizes it (certbot-auto certificates), but of course the others do not. From what I gather, this means the cert will automagically renew on that server, but I’ll be responsible for disseminating the renewed bits to the other boxes when it does renew.

Is there an easier way? Could I perhaps create duplicate certs on each box that would in turn each automatically renew? Should I even be using the /etc/letsencrypt hierarchy on the “other” boxes or should I just create my own repository on them somewhere to hold the ported certs?

Enough questions for now. I’m new at this, having experimented with one domain to date, and I’m hoping to find the best approach to using LetsEncrypt in my environment before I start generating certs in earnest.

Thanks in advance for any guidance you can provide


#2

Hi @restamp,

The best way to handle this situation is to use HTTP 301 redirects from http://example.com/.well-known/acme-challenge/ on each host to a single chosen host, and then get the certificates on that host. (You can use --webroot instead of --manual, thus allowing for automated renewals by running certbot renew frequently from cron, instead of manual intervention.) The CA follows redirects, and so it will allow the server that’s the target of the redirection to “speak for” whatever other server provided the redirection.

An alternative is to use the DNS-01 challenge type where you don’t have to update the servers at all but instead have to update the DNS zone.

You can’t have a separately-renewed certificate on each host because you’ll run afoul of the rate limits:

https://letsencrypt.org/docs/rate-limits/

So, you should probably get the certificate in one place and then push the certificate and key to each host from there. Since the other hosts won’t directly try to perform renewals, it isn’t particularly useful to run Certbot on them at all or try to replicate Certbot’s directory structure in /etc/letsencrypt.


#3
  1. For issuing the certs, you might want to run a “dedicated” site for the challenges and redirect every request for /.well-known/acme-challenge/ to that specific site. I.e., set up a site for “acme-validation.example.com” with as A (and AAAA) record only the fysical server on which you run certbot-auto and on all the servers set up the redirect: http://www.example.com/.well-known/acme-challenge/foo -> http://acme-validation.example.com/.well-known/acme-challenge/foo That way you don’t have to use --manual, but you can use --webroot (with -w set to the webroot path of the virtualhost for acme-challenge.example.com of course.
  2. The distributing of your certificates is rather your own choice. This can be scriptable using scp and other auto-login ssh commands (for example, using public key authentication). How you do that is your choice :slight_smile:

#4

Schoen, Osiris: Thanks for the speedy replies. Initially I tried using redirects (although, following the advice in this thread: Will Let's Encrypt work for me? (Multiple servers serving one domain) I used ProxyPass instead. But, instead of using --webroot, I just used the standard invocation (apache -d …) only to find that it did not do http-based authentication (and, of course, the TLS-SNI-01 failed). DNS-01 might be an option for me, but my master DNS server is not running on an Intel-based machine, which I suspect might present its own problems.

Right now I have certbox-auto running on each box because I initially created a cert for each box’s unique domainname (hostname -f) locally on each box. But, what I’m hearing is that if I move everything to one master box and generate all the certs there, then I can simply rsync the /etc/letsencrypt hierarchy to each of the other boxes daily and be done with it, right? (A side question: If my master cert-generating box goes away for some reason, could I just start running certbot-auto on one of the other boxes, in effect turning it into a new master, or am I hosed?)

Thanks again.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.