0

Am trying to deploy using Ansible (Ansible is not really relevant to the question but is just to give the whole picture) the Certbot configuration in order to obtain wildcard certificates to a cluster of Nginx servers that will be load-balanced pacemaker-corosync.

What I've achieved so far:

  • Using DNS Plugins (nsone and gandi) am able to obtain my wildcard certificates on all my Nginx servers
  • All my Nginx are scheduled to renew certificates and renew simulation with sudo certbot renew --dry-run runs fine
  • Both Nginx are up and running and they are 'showing' the SSL certificate delivered by let's encrypt
  • I've noticed that each Nginx server is showing it's on SSL certificate (their hash is different), 241a808949dac993ea865a22ec92c3e3952cd6b8 Nginx1 and 82defeb9337d880f8d5380831c6527fb02c50a9b for Nginx2 and this worries me a little.

My questions are:

  • Is there a problem if the certificates are different on each server or it's by design?
  • Will I have any problem when the schedule kicks in and my certificates are renewed?
  • Using DNS challenge do I still need to copy the certs between servers instead of using Certbot as am doing (on each server)

I've found this answer https://serverfault.com/a/907911/606126 but am not quite sure this answers my own questions.

Uwe Keim
  • 2,420
  • 5
  • 30
  • 47
Kalem
  • 103
  • 1

1 Answers1

2

If you renew the certificate on each host, each will get separate certificate.

The disadvantage of this approach is that you can get rate-limited by Let's Encrypt if you have too many servers.

The other option is to run Certbot only on one host and then distribute the certificate to the other hosts manually.

Easiest approach is to utilize Certbot post validation hooks. You will create script which will distribute certs and configure/restart your servers after the certificate is renewed.

https://certbot.eff.org/docs/using.html#pre-and-post-validation-hooks

Monitoria
  • 136
  • 2