Hey Chris and an ironically-named badger,

I was listening to your segment about what to do with syncing certificates to multiple servers using something like S3, and I have some comments: Please for the love of god don't do this!

Firstly, because the certificates are the keys to your kingdom. A leak of those removes all security on your services, and lets anyone in the middle snoop on whatever it is you're doing. Self hosted or otherwise, certificates are massively important, and shouldn't be stored anywhere other than where they're absolutely needed.

Secondly, because it's just not necessary. If you're not using wildcard certificates, then just creating certificates for each domain is totally fine, and they can be stored and managed wherever that domain needs to be served from. If you are using wildcards, there's nothing which says only 1 can exist in the world. My servers each have their own wildcard, automatically managed and renewed by traefik. This way, there's neither a need to store the certificates anywhere other than the servers, nor to setup some secure storage and communication method. I don't even bother backing up my certificates anymore.

Letsencrypt (or more specifically ACME) makes provisioning certs insanely simple. Let them deal with the security side of things, we can just use their tools to create all the certificates we want, wherever we want.

Thanks for reading, and keep up the great work

- Your friendly neighbourhood orange.