Wondering if my use case is too weird for Let's Encrypt

FYI, I removed the auto-text as I’m not asking about an existing or proposed certificate, rather I’m wondering if my use case makes sense for Let’s Encrypt or not.

I have a fair bit of experience with manual request and install of certs from a few different CAs. This was usually in a situation where I had to manually distribute the private key and signed cert to a few locations for load balancing and DR purposes.

In the development of my own application, I’m using a similar strategy with 4 potential servers in 2 separate data centers (with 2 LBs running hot-hot in each DC) servicing requests for each domain (of which I’ve got 3).

I’d kind of like to try Let’s Encrypt but I’m wondering if my use case is too weird to do so. For example, all the documentation I’ve read indicates this is for a cert for a single server and single site. Can certbot / Let’s Encrypt function with a single domain across multiple servers (particularly the renewal process) and / or multiple domains on a single server? As a workaround, I’m considering making 3 different servers a “master” for each domain and then set up a daily Ansible job to manually move the new certs to the other 3 servers after renewal which should all happen in plenty of time if I auto-renew at 60 days on a 90 day cert. This is not my favourite option because of the added complexity but is certainly do-able if there’s no multi-server options with Let’s Encrypt / certbot.

Also, if I do manage to get this all working, do I need mod_md on my Apache servers or just mod_ssl loaded and certbot installed on the OS (and / or does the installation of certbot handle the installation and loading of mod_md and it’s hook to mod_watchdog for me OR is the renewal clock created by certbot on the OS and both mod_md and mod_watchdog are not necessary)? Is there an article / diagram that shows how the Apache / mod_md / ACME / certbot / Let’s Encrypt stack all interact? It’s not necessary to figure out if my use case above will work, but I’m kind of foggy on the details of how this all works under the hood which is, I guess, why I’m unclear about the viability of my use case.

In the end I’m mostly wondering if my use case is just too weird for Apache / mod_md / ACME / certbot / Let’s Encrypt to handle and I should go buy COTS DV certs, but I wanted to reach out here first and see if there was a reasonable way to use this stack as I’m a fan of the mission.

Thanks,

Scott

1 Like

Multiple domains per server is definitely fine. Multiple servers per domain are also fine, (if you could distribute the challenge file to each server or use DNS based validation API automation)

What certbot would do is really simple: Request a challenge file/token from Let’s Encrypt, provide instruction to you or automate the placing on the current server, try to validate. (For HTTP Based validation). Since you have multiple servers and might not be sure which server Let’s Encrypt will connect to when you request the certificate, just use DNS based validation should be a better way.

You’ll need to make sure your web server is ready to use HTTPS / SSL, since certbot will only test it and throw an error if it’s not.

Basically, in a fully automated process, certbot would request a verification token from ACME server (from Let’s Encrypt), then depends on the validation method you selected, certbot would either use DNS based validation (which then connect to your DNS provider) or place a file in the appropriate file directory (determined by configuration files or user-specified inputs from command line), then request Let’s Encrypt validation server to complete the challenges. Once the challenges are completed, it will update the files in the certificate directory, then try to reload your web server.

Personally, I would suggest you use DNS based validation, but it depends on the DNS provider for your domain.

Thank you

1 Like

Edit: sorry, I had assumed that mod_md works in a certain way, but then remembered that it doesn’t (yet).

Thanks very much for your response!

So, if I was able to use DNS based automation, I could use certbot on 4 different servers (with, presumably, 4 different private keys) to have Let’s Encrypt issue 4 separate certificates, each for cn
www.mydomain.com and then auto renew all 4 certs going forward? I guess I always assumed a FQDN could only have 1 public cert at a time, but I see now there’s no reason for that if, for example, I went
to separate SSL providers and bought certs from each.

I’m still unclear whether I need to explicitly install mod_md on my Apache servers or if certbot doesn’t need it / handles the install itself. I definitely understand that mod_ssl is required before getting started with certbot / Let’s Encrypt.

I think I’ll need to take a look at the DNS providers that have APIs which will work with certbot (or possibly move forward the timetable on setting up my own). The thing that puzzles me, though, is if HTTP validation would get confused about which one of
4 server token’s it should expect when doing the validation, wouldn’t DNS be equally confused or would EACH token based code show up as a TXT record at
_acme-challenge.<YOUR_DOMAIN> and as long as one of those records fulfills the needs of the the validation process THAT token is associated with then the validation concludes for THAT server successfully (lather, rinse, repeat for the other 3 servers)?
In other words, is it OK to have 4 different TXT record values at _acme-challenge.mydomain.com?

I suppose I’ll have to test (and find a Let’s Encrypt compatible DNS provider OR run my own DNS server which I was planning to, anyway, just not for this reason) but it appears that Let’s Encrypt is, at least, within the realm of possibility, based upon how
I’m laying out my infrastructure.

Thanks,

Scott

Definitely! Just make sure you won’t hit any of the rate-limits.

Each token will be shown under the query, and token should be removed after validation is completed (if the API/automation are set up correctly)

Yes

What’s the DNS provider you have?
You don’t need to limit your choice of ACME clients to certbot, there are a variety of clients available onhttps://letsencrypt.org/docs/client-options/

Thank you

1 Like

I really appreciate your feedback. You’ve given me a lot to think about.

Thanks,

Scott

As noted, yes, it’s OK, but ordinarily any one of those TXT records will be there only for the amount of time it takes to validate the domain–after that, they’re generally deleted.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.