[SAC] [OSGeo] #2143: Centralize certbot for SSL cert handling.

[OSGeo]

#2143: Centralize certbot for SSL cert handling.
---------------------------+-------------------------
 Reporter:  TemptorSent    |      Owner:  sac@…
     Type:  enhancement    |     Status:  new
 Priority:  normal         |  Milestone:
Component:  Systems Admin  |   Keywords:  SSL certbot
---------------------------+-------------------------
 To reduce the number of certbot installations that must be configured and
 maintained individually, I propose moving certbot operations to a single
 primary location ('secure' VM would be a good option IMHO) and forwarding
 verification requests from each host using http redirects or proxying, and
 pushing out new keys to each host via ssh.
 See https://nekudo.com/blog/letsencrypt-in-a-multiserver-environment for a
 similar configuration.

 In this configuration, I believe certbot can run in standalone mode with
 no webserver required.

 Each host only needs to provide a redirect or proxy entry to the certbot
 host, rather than installing dependencies for certbot on every host.

 Certs would be maintained for all domains in a single secure location,
 reducing the chance of missing renewals and simplifying administration.

 Backups would be simplified and the entire certbot configuration can be
 easily copied to another host if needed.

 Keys can be distributed to individual hosts using SCP automated with a
 simple script after each certbot renewal runs.

-- 
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2143>
OSGeo <http://www.osgeo.org/>
OSGeo committee and general foundation issue tracker.