Let's Encrypt SSL certs for same domain, multiple instances

Question

I've successfully installed Let's Encrypt SSL certs on a domain instance (on Ubuntu 14.4), but I now want to install the same certs on another virtual instance for the same domain.

Question: With multiple virtual instances for the same domain, should I just copy over the certs from the initial initial (using the Let's Encrypt tools), or is there another better way?

I imagine that you can't query Let's Encrypt for a new cert, or else it will invalidate the first.

I am currently sharing the certs, which works.

Answer 1

Yes, it's possible. There are at least two options:

• Run certbot in manual mode

  ./certbot-auto certonly --manual -d example.com
  

  in this case certbot requires a random file to be served from .well-known/acme-challenge/, e.g.:

  http://example.com/.well-known/acme-challenge/-Y5pUBNKdx5GKSloP3RifHzUW3NT9xt1UAloNkHz7wc
  

  Now you could distribute the challenged file to all your servers or create a rewrite from all your sites to a single challenge server:

  rewrite ^/.well-known/acme-challenge/(.*)$ http://acme.example.com/$1 redirect;
  

  acme.example.com should be served from single server with root pointing to /tmp/certbot/public_html/ (or wherever you'll store challenged files).

  Have a look at hooks in certbot manual in order to script this procedure.

• Use DNS challenge. In this case you'll be asked to add TXT record to your DNS, for example.com domain:

  _acme-challenge.example.com. 300 IN TXT "gfj9Xq...Rg85nM"
  

  Again, you can automate this using hooks --manual-auth-hook, --manual-cleanup-hook.