WldCard Cert on Another Server

Hi guys,

I currently have Lets Encrypt wildcard cert running fine ( via DNS validation ) on my home server (server A , port A ) on a non-standard https port. All is good. Installation was done via acme.sh

I want to bring up another server ( server B , port B ).

My question's are:

  1. Do i run acme.sh on Server B? Will this nullify the certs on Server A ?
  2. Or do i just make a script to copy the certs over to Server B from Server A ?

Pls advise. Thanks in advance.

Hi @narcoczen,

From the point of view of the CA system, you can have any number of certs from any number of CAs, covering any combinations of domain names, and use each of them on as many different servers as you like. Certificates never contradict each other. Each one basically says "according to this CA, this encryption key is OK to use when communicating with this entity [e.g., with these specified domain names]", which doesn't mean that the same or another CA couldn't confirm that a different key was also OK to use.

So you have the choice of either option, and both are valid.

The Let's Encrypt service has rate limits which restrict how often you can get certificates (especially duplicative ones) from Let's Encrypt itself

but if you only have two servers, getting separate certificates for both (if you prefer) is OK and won't run up against Let's Encrypt's rate limits.

1 Like

Noted.Thank you. I do hope to avoid rate limits - so better to copy cert to the other server ?
Thanks.

1 Like

If everybody in this situation would copy the certificate (and private key, don't forget that one), it would decrease the load on Let's Encrypt servers somewhat, which is a good thing. If everybody just got duplicate certificates from the Let's Encrypt servers, it would increase load, which is a "bad" thing. (I'm putting "bad" between quotes, because the actual increase in load on the servers is probably very tiny considering the fact Let's Encrypt issues almost two million certs per day, but if the group of people requesting duplicate certs is large enough, it might have a detectable influence. So it's probably more a theoretical/principal issue than really a practical one.)

That said, if you decide to copy over the certificate (which I personally think is a sign of "niceness" to Let's Encrypt considering the load on their servers), don't forget you need to securely copy over the private key corresponding to the certificate. You could use scp for that, which should be secure. Or encrypt the key in a strong way before transfering it in some other way.

Acme.sh also has the option to re-use the same private key for the certificates, so you would only have to securely transfer the private key once. If you decide not to reuse the same key, you'd have to securely transfer the private key every time the certificate was renewed.

1 Like

Private key ? The *.pem file ?

Certificates as wel as private keys can be ".pem" files. You're using acme.sh. I have no clue how acme.sh names the certificate and private key files. Please refer to the acme.sh documentation.

I just checked my server. The cert files are;

mycustomdomain.tech.cer
mycustomdomain.tech.key
ca.cer
fullchain.cer

So its better i just copy all 4 over right ?

Yes. Securely.