3

I have a series of subdomains that are a part of a root domain I manage. I have set up certbot on one of these domains: x.example.com and it is successfully using the certificate and renewing it automagically.

I now want to create a new subdomain y on a different server in our infrastructure. I need to use the same Let's Encrypt certificate since the challenge is good for any wildcard domains. However, using for example certbot --nginx ... issues a new challenge and that's no good. I want to use my same certbot stuff from x.

Is there a way to do this? Perhaps using the old challenge? I see --force-renewal and such that talk about if the certificate already exists for the request domains.... It doesn't seem like it fetches a copy of the certificate from their server however. I'd like to have it configure my nginx stuff automatically so I don't have to copy things over (via --nginx).

How do I do this right?

Steve
  • 33
  • 1
  • 4

1 Answers1

2

It sounds like you created a wildcard cert when you didn't need to. It's perfectly reasonable for Server X and Server Y to both have their own copy of certbot generating and renewing a certificate only for the name(s) they care about. They can even share some names.

As long as you don't run up against the Let's Encrypt rate limits, you'll be fine.

Challenge validations are not permanent. You will generally have to re-validate a challenge during every renewal (usually between 60-90 days after original issuance).

Ryan Bolger
  • 16,755
  • 4
  • 42
  • 64
  • Ah okay, that makes sense. I'll just generate a new one for the new subdomain. I think you're right and I was too eager to create a wildcard cert. Do you usually use wildcard certificates for single server multiple subdomain scenarios? – Steve Jun 01 '18 at 16:44
  • 1
    It really depends on the number of sub-domains. A single cert can contain multiple names (also known as SANs or Subject Alternative Names). With Let's Encrypt specifically, you can create a cert with up to 100 distinct names in it. Wildcards are usually only used when you have dynamically created services where you don't know what the sub-domains will be in advance. Though some people make them just to be lazy, heh. – Ryan Bolger Jun 01 '18 at 16:58
  • Thanks for clarifiation. Helped me a lot to understand. I thought using a letsencrypt wildcard would somehow bind me (and all subdomains) to the one machine I was using to retrieve the certificate. – FlyBy Jun 14 '18 at 08:19