What is a better way to allow guest VMs access to the same SSL certificate?

1

I currently have a host VM set up with letsencrypt to generate security certificates for my domains. I run several services inside VMs (which all use those certs) on that machine, and wish to continue using the same certs for each one. My ideal solution would be to use host-to-guest folder mounts to allow read-only (and priviliged) access to the guest machines so that those certificates are updated automatically when the certs on the host machine are renewed; however, folder mounts are unsupported my current virtualization setup.

I could certainly set up a cron job that runs scp for each certificate when they're renewed; however, that solution requires every VM also has a cron job set up to copy the scripts and modify file permissions after the copy, which can be detrimental to scaling the VMs. Additionally, my desire is to have a central location for the certificates that the guest VMs can grab their certs from. The only other thought I had would be to set up an NFS to hold the certs, though I'm quite hesitant to leave certs sitting out on a network server.

Is there a better way to achieve what I'm trying to set up?

Jonathan Thompson

Posted 2016-03-14T17:48:02.813

Reputation:

this looks more like a server config question than a pure security question - I'm migrating – schroeder – 2016-03-14T18:30:23.523

Please include more detail on the precise operating systems and hypervisors in use. – Anti-weakpasswords – 2016-03-15T04:10:37.310

Answers

0

In response to the general question of how to have one location to update files on multiple guest VMs at once, there are four obvious answers:

  1. An ISO that each guest mounts and unmounts
  2. A network share of some sort
  3. A shared virtual disk

  4. A network transmission of some sort, i.e. a scheduled update of a local copy

    a. One reasonable way to do this is to write a script on the host that iterates through all guests that match a certain critieria (the "Needs this cert" critera, perhaps based on guest name) and uses certificate-based, hardened SSH to scp from host to each guest on a schedule.

    1. This relegates the initial scaling in the original question to the normal SSH setup for each guest, which should have been scripted anyway; each guest simply needs the host's key in the authorized_keys setup.

In all three cases, you want something that the host mounts read-write and the guests mount read-only.

Anti-weakpasswords

Posted 2016-03-14T17:48:02.813

Reputation: 481

Asked: 2016-03-14T17:48:02.813

Viewed: 87 times

Active: 2016-03-15T04:19:42.000