Answer the question
In order to leave comments, you need to log in
Can I initiate a Let's Encrypt certificate on a server other than the server?
Hello!
There are several (more precisely, many) servers for which different certificates are installed, including Let's Encrypt. It is planned to transfer all servers to Let's Encrypt certificates.
The problem is that the OS on some servers, to put it mildly, is not the first freshness. Certbot cannot be installed on these servers, because half the system needs to be updated before this, and this option is not suitable.
Also, the number of servers is increasing over time, and it is required to create a single platform for issuing and renewing certificates. Those. I would like to move the function of obtaining / updating certificates from Let's Encrypt to a separate server.
Question: Can this be implemented?
PS: for the time being, it is planned to obtain certificates using the HTTP-01 verification method, i.e. via the _http://YOUR_DOMAIN/.well-known/acme-challenge/TOKEN_ directory.
Answer the question
In order to leave comments, you need to log in
In general, the answer to this question is: "Yes, it is possible to initiate the receipt of a Let's Encrypt certificate not on the server."
Brief variants of perversions:
We have (conditionally):
A - a server with a service of requests for issuing/reissuing Let's Encrypt certificates.
B and C are servers with web applications (proxy servers) for which it is necessary to issue/reissue Let's Encrypt certificate requests.
1.a. Release. Run certbot on server A, process output, create files with tokens on servers B and C, copy certificates to servers B and C.
1.b. Reissue. On servers B and C, use the built-in certbot mechanism and the preset crond/systemd-timers task.
2.a. Release. Run certbot on server A, process output, create files with tokens on server A, copy certificates to servers B and C. On servers B and C, create additional web server processing for domain.com/.well-known requests that will to be proxied to server A. On server A, install a web server that accepts proxied requests.
2.b. Reissue. On servers B and C, use the built-in certbot mechanism and the preset crond/systemd-timers task.
3.a. Release. Run certbot on server A, process the output, create files with tokens on servers B and C, copy certificates to servers B and C.
3.b. Reissue. On server A, use the built-in certbot mechanism and the pre-installed crond/systemd-timers task, copy certificates to servers B and C.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question