1

I manage about 20 virtual machines all running different web applications. The domain names of these web apps are subdomains of the same domain. I have one wildcard SSL certificate which will work for all these web applications.

Now, I can copy the SSL certificate to each of these machines and configure nginx to use them. But this just seems a brain-numbingly stupid thing to do. It gets even more stupid when I need to renew the certificate.

Is there some way of centrally hosting the certificate and making the nginx on all the VMs access the certificate from the central location? Searching for such a feature only leads me to IIS related documents.

I guess I could store the certificates on a Samba / CIFS share and mount them on all the VMs. But that seems a little unclean.

Anjan
  • 307
  • 1
  • 2
  • 14
  • 1
    Keep your Certificates either on a NFS share or Samba also should do your task. – serverliving.com May 13 '15 at 10:59
  • 2
    One more solution would be to have a Load balancer serve all sub-domains. This will make sure SSL needs to be installed only on Load balancer. And in your backend you need to connect to port 80. Not recommended as per security best practices. – serverliving.com May 13 '15 at 11:03
  • if you know the ansible automation tool that is the answer to your problem. –  Jul 11 '16 at 03:49
  • This would probably be easier to answer in a good way if you tell us why you feel storing the certificate (*and private key*) on a SMB/CIFS share is "unclean". Without a fairly large overhaul of your architecture, it seems the cleanest solution to me, and would seem to be secure as long as you lock that share down tight. – user Jul 11 '16 at 07:49
  • 1
    For record's sake - I have gone ahead with Chef provisioning automation. That has taken care of this problem for me. So, when I replace the certificate, the recipes even take care of reloading NGINX for me. With an NFS share, I would still have had to log in to each server and reload NGINX. – Anjan Jul 11 '16 at 11:16

0 Answers0