1

I have a some internally available servers (all Debian), that share a LetsEncrypt wildcard certificate (*.local.example.com). One server (Server1) keeps the certificate up-to-date and now I'm looking for a process to automatically distribute the .pem-files from Server1 to the other servers (e.g. Server2 and Server3).

I don't allow root logins via SSH, so I believe I need an intermediary user.

I've considered using a cronjob on Server1 to copy the updated .pem-files to a users directory, where a unprivileged user uses scp or rsync (private key authentication) via another cronjob to copy the files to the Server2/3. However, to make this a more secure process, I wanted to restrict the user's privileges on the Server2/3 to chroot to their home directory and only allow them to use scp or rsync. It seems like this isn't a trivial configuration and most methods are outdated, flawed or requite an extensive setup (rbash, forcecommand, chroot, ...).

I've also considered to change the protocol to sftp, which should allow me to use the restricted sftp environment, via OpenSSH but I have no experience.

An alternative idea was to use an API endpoint (e.g. FastAPI, which is already running on Server1) or simply a webserver via HTTPS with custom API-Secrets or mTLS on Server1 to allow Server2/3 to retrieve the .pem-files.

At the moment, the API/webserver approach seems most reasonable and least complex, yet feels unnecessarily convoluted. I'd prefer a solution that doesn't require additional software.

Server1 has .pem-files (owned by root) and Server2/3 need those files updated regularly (root-owned location). What method can I use to distribute those files automatically in a secure manner?

Improve this question
3
  • Do you trust your LAN? Would you consider rsyncd with root write permissions just to the LetsEncrypt directory tree? Commented Jun 2, 2024 at 15:59
  • Generally I try to follow a zero trust principle, but I'll have a look at rsyncd to see if that would work in my situation. thank you! Commented Jun 2, 2024 at 16:06
  • Actually, with port forwarding we can wrap the unencrypted rsyncd over an ssh channel. I'll see if I can put an answer together Commented Jun 2, 2024 at 17:11

2 Answers 2

Reset to default
1

I've settled on an rsync-only user, that can only rsync data to a predefined directory using ssh-keys (https://gist.github.com/jyap808/8700714). I rsync the files with script that runs after successful letsencrypt deployments. On the receiving servers, I have an inotifywait service running that moves the files to the appropriate locations right after they've synced onto the server.

Improve this answer
1
  • If you ever find the time, I'd love to see a blogpost or some longer format writeup of how you set this up. Interesting! Commented Jul 1, 2024 at 3:19
0

You could see if you can find a server for CMS or maybe EST that allows distributing the same cert to multiple nodes instead of generating unique keys? There are probably benefits to using a protocol designed for this purpose.

Improve this answer
1
  • Using a unique SSH key for each client using the certificate gives the flexibility to be able to deny SSH access to one specific host, without disrupting access for the others. If every client host uses the same key, that isn't possible. Commented Jun 3, 2024 at 23:50

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.