[SAC] [OSGeo] #2143: Centralize certbot for SSL cert handling.

#2143: Centralize certbot for SSL cert handling.
Reporter: TemptorSent | Owner: sac@…
     Type: enhancement | Status: new
Priority: normal | Milestone:
Component: Systems Admin | Keywords: SSL certbot
To reduce the number of certbot installations that must be configured and
maintained individually, I propose moving certbot operations to a single
primary location ('secure' VM would be a good option IMHO) and forwarding
verification requests from each host using http redirects or proxying, and
pushing out new keys to each host via ssh.
See https://nekudo.com/blog/letsencrypt-in-a-multiserver-environment for a
similar configuration.

In this configuration, I believe certbot can run in standalone mode with
no webserver required.

Each host only needs to provide a redirect or proxy entry to the certbot
host, rather than installing dependencies for certbot on every host.

Certs would be maintained for all domains in a single secure location,
reducing the chance of missing renewals and simplifying administration.

Backups would be simplified and the entire certbot configuration can be
easily copied to another host if needed.

Keys can be distributed to individual hosts using SCP automated with a
simple script after each certbot renewal runs.

Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2143&gt;
OSGeo <http://www.osgeo.org/&gt;
OSGeo committee and general foundation issue tracker.