[GH-ISSUE #159] Question: Same cert across multiple servers? #58

New issue

Open

opened 2026-03-13 15:35:53 +03:00 by kerem · 2 comments

kerem commented

2026-03-13 15:35:53 +03:00

Owner

Originally created by @Daniel15 on GitHub (Mar 14, 2019).
Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/159

Say I need a certificate for *.example.com on three separate servers. Which approach would be preferable?

Ensure all three servers use the same username and password for acme-dns. Need to manually configure that, otherwise each server will end up creating its own acme-dns CNAME and it won't work properly
Renew the cert on just one of the servers, and copy it across to the others (eg. using rsync or scp/sftp)

Originally created by @Daniel15 on GitHub (Mar 14, 2019). Original GitHub issue: https://github.com/acme-dns/acme-dns/issues/159 Say I need a certificate for `*.example.com` on three separate servers. Which approach would be preferable? 1. Ensure all three servers use the same username and password for acme-dns. Need to manually configure that, otherwise each server will end up creating its own acme-dns CNAME and it won't work properly 2. Renew the cert on just one of the servers, and copy it across to the others (eg. using `rsync` or scp/sftp)

kerem commented

2026-03-13 15:35:59 +03:00

Author

Owner

@joohoi commented on GitHub (Mar 14, 2019):

The first option would be preferable. It makes the configuration much less flaky. rsyncing things around and handling restarts and such has too many possibilities for errors.

@joohoi commented on GitHub (Mar 14, 2019): The first option would be preferable. It makes the configuration much less flaky. `rsync`ing things around and handling restarts and such has too many possibilities for errors.

kerem commented

2026-03-13 15:36:06 +03:00

Author

Owner

@webprofusion-chrisc commented on GitHub (Mar 14, 2019):

This is a little off-topic for acme-dns but I'm actually working on this problem just now for https://github.com/webprofusion/certify - renew once and deploy to many targets (including remote/sftp/ssh). Yes, it raises a lot of interesting questions!

The benefit of centralised renewal is that it's simpler to track if you have/have not renewed the cert itself and you can perform the renewal work on behalf of servers/devices that can't/shouldn't renew for themselves. It's a natural problem related to wildcards, once you have one it may need to be applied to a large number of things, and you may not actually control all of those things.

@webprofusion-chrisc commented on GitHub (Mar 14, 2019): This is a little off-topic for acme-dns but I'm actually working on this problem just now for https://github.com/webprofusion/certify - renew once and deploy to many targets (including remote/sftp/ssh). Yes, it raises a lot of interesting questions! The benefit of centralised renewal is that it's simpler to track if you have/have not renewed the cert itself and you can perform the renewal work on behalf of servers/devices that can't/shouldn't renew for themselves. It's a natural problem related to wildcards, once you have one it may need to be applied to a large number of things, and you may not actually control all of those things.