Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Question: Same cert across multiple servers? #159

Open
Daniel15 opened this Issue Mar 14, 2019 · 2 comments

Comments

Projects
None yet
3 participants
@Daniel15
Copy link
Contributor

Daniel15 commented Mar 14, 2019

Say I need a certificate for *.example.com on three separate servers. Which approach would be preferable?

  1. Ensure all three servers use the same username and password for acme-dns. Need to manually configure that, otherwise each server will end up creating its own acme-dns CNAME and it won't work properly
  2. Renew the cert on just one of the servers, and copy it across to the others (eg. using rsync or scp/sftp)
@joohoi

This comment has been minimized.

Copy link
Owner

joohoi commented Mar 14, 2019

The first option would be preferable. It makes the configuration much less flaky. rsyncing things around and handling restarts and such has too many possibilities for errors.

@webprofusion-chrisc

This comment has been minimized.

Copy link
Contributor

webprofusion-chrisc commented Mar 14, 2019

This is a little off-topic for acme-dns but I'm actually working on this problem just now for https://github.com/webprofusion/certify - renew once and deploy to many targets (including remote/sftp/ssh). Yes, it raises a lot of interesting questions!

The benefit of centralised renewal is that it's simpler to track if you have/have not renewed the cert itself and you can perform the renewal work on behalf of servers/devices that can't/shouldn't renew for themselves. It's a natural problem related to wildcards, once you have one it may need to be applied to a large number of things, and you may not actually control all of those things.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.