← Back to context

Comment by KMag

3 years ago

You could sync certificates across hosts for this purpose, though. The advantage of multiple certificates is being able to revoke a subset of certificates if you can determine only a subset of your hosts have been compromised.

you could, but unfortunately the LE certs have a very short lifetime, and renewals are a thing

so you need a master server to handle the renewals, periodic sync, and to handle the case when the master goes away

this would be considerably more complicated than having a second independent certificate (assuming you've automated the entire frontend provisioning process)