FYI, I removed the auto-text as I’m not asking about an existing or proposed certificate, rather I’m wondering if my use case makes sense for Let’s Encrypt or not.
I have a fair bit of experience with manual request and install of certs from a few different CAs. This was usually in a situation where I had to manually distribute the private key and signed cert to a few locations for load balancing and DR purposes.
In the development of my own application, I’m using a similar strategy with 4 potential servers in 2 separate data centers (with 2 LBs running hot-hot in each DC) servicing requests for each domain (of which I’ve got 3).
I’d kind of like to try Let’s Encrypt but I’m wondering if my use case is too weird to do so. For example, all the documentation I’ve read indicates this is for a cert for a single server and single site. Can certbot / Let’s Encrypt function with a single domain across multiple servers (particularly the renewal process) and / or multiple domains on a single server? As a workaround, I’m considering making 3 different servers a “master” for each domain and then set up a daily Ansible job to manually move the new certs to the other 3 servers after renewal which should all happen in plenty of time if I auto-renew at 60 days on a 90 day cert. This is not my favourite option because of the added complexity but is certainly do-able if there’s no multi-server options with Let’s Encrypt / certbot.
Also, if I do manage to get this all working, do I need mod_md on my Apache servers or just mod_ssl loaded and certbot installed on the OS (and / or does the installation of certbot handle the installation and loading of mod_md and it’s hook to mod_watchdog for me OR is the renewal clock created by certbot on the OS and both mod_md and mod_watchdog are not necessary)? Is there an article / diagram that shows how the Apache / mod_md / ACME / certbot / Let’s Encrypt stack all interact? It’s not necessary to figure out if my use case above will work, but I’m kind of foggy on the details of how this all works under the hood which is, I guess, why I’m unclear about the viability of my use case.
In the end I’m mostly wondering if my use case is just too weird for Apache / mod_md / ACME / certbot / Let’s Encrypt to handle and I should go buy COTS DV certs, but I wanted to reach out here first and see if there was a reasonable way to use this stack as I’m a fan of the mission.