Configuring SSL certificates across multiple network nodes ensures encrypted communication between servers, load balancers, and containers. This guide outlines a systematic approach for deploying TLS certificates in distributed environments using automation tools like certbot, Ansible, and Kubernetes secrets.
Prerequisites for Multi-Node SSL Deployment
Before starting, verify that you have:
- Root or sudo access to all target nodes
- DNS records pointing each node’s public IP to its hostname
- Open ports 80 and 443 on firewalls for ACME challenges
- Network connectivity between nodes and a central management server
Step 1: Generate a Private Key and CSR
On the management node, create a 2048-bit RSA private key:
openssl genrsa -out wildcard.key 2048
Generate a Certificate Signing Request (CSR) including all subject alternative names (SANs) for each node:
openssl req -new -key wildcard.key -out wildcard.csr -subj "/CN=*.example.com"
Step 2: Request and Obtain the Certificate
Use an ACME client like certbot to automate issuance. For a wildcard certificate covering multiple subdomains:
certbot certonly --manual --preferred-challenges dns -d *.example.com
Complete DNS-01 challenge by adding a TXT record for _acme-challenge.example.com. Alternatively, use HTTP-01 if each node has its own domain.
Step 3: Distribute Certificate Files to Nodes
Copy the fullchain and private key to each node using SCP or rsync with restricted permissions:
scp /etc/letsencrypt/live/example.com/fullchain.pem node1:/etc/ssl/certs/ scp /etc/letsencrypt/live/example.com/privkey.pem node1:/etc/ssl/private/
Set ownership to root and permissions to 644 for certificates, 600 for private keys.
Step 4: Configure Web Servers on Each Node
For Nginx nodes, update the SSL block:
server {
listen 443 ssl;
ssl_certificate /etc/ssl/certs/fullchain.pem;
ssl_certificate_key /etc/ssl/private/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
}
For Apache nodes:
SSLEngine on SSLCertificateFile /etc/ssl/certs/fullchain.pem SSLCertificateKeyFile /etc/ssl/private/privkey.pem
Step 5: Automate Renewal Across Nodes
Create a shared script on the management node that:
- Checks certificate expiry via
openssl x509 -checkend 86400 - Runs certbot renew
- Distributes updated files via Ansible playbook
- Reloads services (nginx, apache2, haproxy)
Schedule the script with cron (e.g., 0 0 * * * /usr/local/bin/renew-ssl.sh).
Step 6: Validate Deployment and Troubleshooting
Test connectivity from multiple locations using:
openssl s_client -connect node1.example.com:443 -servername node1.example.com
Verify certificate chain integrity with:
curl --cacert /etc/ssl/certs/fullchain.pem https://node1.example.com
Common issues include mismatched SANs, expired intermediate CA certificates, and permission errors on private keys.
Containerized Environments (Kubernetes)
Store certificates as TLS secrets:
kubectl create secret tls wildcard-tls --cert=fullchain.pem --key=privkey.key
Mount the secret in ingress controllers referencing tls.crt and tls.key.
Monitoring and Expiry Alerts
Use Prometheus with the ssl_cert_expiry metric or simple shell scripts to email alerts 30 days before expiry. Integrate with PagerDuty if certificates expire within 7 days.
By following these steps, you establish a repeatable SSL configuration workflow across diverse network nodes, reducing manual errors and ensuring consistent encryption.
