On 18/08/17 20:05, Stephan von Krawczynski wrote: > On Fri, 18 Aug 2017 00:24:39 -0700 (PDT) > Joseph Tam <jtam.h...@gmail.com> wrote: > >> Michael Felt <mich...@felt.demon.nl> writes: >> >>>> I use acme.sh for all of my LetsEncrypt certs (web & mail), it is >>>> written in pure shell script, so no python dependencies. >>>> https://github.com/Neilpang/acme.sh >>> >>> Thanks - I might look at that, but as Ralph mentions in his reply - >>> Let's encrypt certs are only for three months - never ending circus. >> >> I wouldn't characterize it as a circus. Once you bootstrap your first >> certificate and install the cert-renew cron script, it's not something >> you have to pay a lot of attention to. I have a few LE certs in use, >> and I don't think about it anymore: it just works. >> >> The shorter cert lifetime also helps limit damage if your certificate >> gets compromised. >> >> Joseph Tam <jtam.h...@gmail.com> > > Obviously you do not use clustered environments with more than one node per > service. > Else you would not call it "it just works", because in fact the renewal is > quite big bs as one node must do the job while all the others must be > _offline_. >
Couldn't the others just proxy to the one, for the .well-known directory? They can continue serving up the rest of the site fine, surely? I've worked with clusters, and with LE/certbot, but not yet both together. Richard
