Renew wildcard cert on multiple servers

I created a wildcard cert and put it on:

  • four IIS servers responding to
  • other IIS servers responding to other subdomains.
  • Linux servers responding to other subdomains.

Great. All is good.

I was able to renew the cert on the original server. What is the best practice to renew the same cert on all my servers?
Run CTW on all IIS servers?
Run something else (certbot?) on the Linux servers?
Something else?

EDIT: After asking, I found info on a “Central Certificate Store”. Is that the answer? (At least for Windows.)

Thanks again for the great service!

Hi, because you have a need to distribute the certificate in different ways, I would write a post-request powershell script (Show Advanced Options > Scripting and to copy the file as required, from there you can do something like a scheduled task or file watcher script to pick up the certificate file and convert it as required.

For IIS across multiple services I would copy the cert to a share and set that share up amongst your IIS servers as your CCS store path as that’s the easiest way to share certs across multiple servers on windows.

For linux, I would script a conversion of the pfx to whatever format you need (usually .pem), then upload to the linux server via ftp/sftp or any other file transfer means. You could do that as a scheduled task rather than having to make it part of the certify powershell scripting.

Thanks. That looks like a pain.

Wouldn’t it be easier just to create a different wildcard cert for each and every server?
I wonder if it would be a problem to have different certificates on each of the www servers.

Yes it does require some effort but it’s a one-off effort and your renewal automation would benefit from it. You already have your certificate you just need to distribute it.

In the future I will be looking at ways to integrate such multi stage deployment into Certify as individual deployment tasks.

Yes as you are using a DNS challenge you can have a few clients requesting the same certificate. The limit imposed by Let’s Encrypt for issuing the same certificate multiple times is 5 duplicates per week according to their docs:

Wouldn’t it be easier to just allow CertifyTheWeb to use the same DNS entry for the challenge?

Hi, the TXT value of the dns challenge is set by Let’s Encrypt and is distinct per client that’s trying to request the challenge. You could try to share account keys etc but that’s unlikely to be practical cross client/cross platform.

V5 (currently in alpha) attempts to address the task of distributing the cert to multiple servers (windows or linux) using Deployment Tasks (so you can export to apache on linux via ssh, or to a Central Certificate Store over a UNC path etc). You need to use DNS validation when there are multiple servers involved though, because http validation will usually be difficult to coordinate if there are multiple possible http servers.