That is a loaded question.
For multiple-domain, You have some options but because letsencrypt doesn't do wildcard certs, this may not be the best CA depending on complexity with some environments. If you have a few, then the current limit is 100 domain aliases per certificate so you would need to generate 6 certs for 600 domains for example. Use the -d to create these domains per cert. You also have rate limits of 500 per ip address and 20 different certs per week I believe. see: https://letsencrypt.org/docs/rate-limits/
In the original example in this thread, it shows:
Code: Select all
source $home/.acme.sh/acme.sh.csh or simply login/logout first time if you are not sure. I just source .cshrc myself.
acme.sh --issue --dns -d mail.example.com -d mail.example.net -d mail.example.org -d tmail.example.com
One of my zimbra servers has multiple domains and aliases... I specified them with -d X -d Y -d Z, etc.
What I found useful about 8.7+ and using a proxy in general is that I added a tmail.example.com cert entry to my test server and without any other changes other than deploying that cert, the users could test this new multiple domain cert and verify they work with their browsers and email clients on a staging/test server with 8.7+. I had restricted the ciphers so I was able to verify the user base before scp -r that .acme.sh directory to the production server and doing this for real. I could also verify that 8.7+ wasn't going to break some complex user accounts. I renew the cert from the production machine going forward using the method I outline in this thread. WARNING: that acme.sh script doesn't handle multiple certs very well so I tend to move the directory (mail.example.com) with the cert out of the way before using the same environment to generate a new certificate for another machine on my test server. There may have been an option to get around this limitation but I didn't use it. The larger point I am trying to make is that free CA's with 5-10 second creation times do open up some additional possibilities that may not have existed previously given the time/cost associated to renew or create certs with some commercial CAs.
Back to your question about a multi-server in a multiple-domain configuration... I can think of 2 ways but have never tested nor have these configurations. It would be valuable if someone with experience could comment on this. Zimbra has a few documents which I reference below that describe a few methodologies.
Same as single server instance and generate them on one server accounting for all the domains, create the full chain and scp just what you need or the directory to each server. From there verify and deploy them.
Create them on each machine and only for that machine and deploy them directly. That method allows for extra layering of security so that a compromised cert keeps other certs intact perhaps.
These are good starting points as are previous answers in this forum to multiple server and certs environments.