1 certificate 2 DNS api keys

Hi to all
I´m searching for info on how to do, but I couldn’t find any help.
The current situation is:
1 certificate with 2 domains and wildcard for both: intersindicalrm.org *.intersindicalrm.org sterm.org *.sterm.org.
These 2 domains point to the same web server. Both are under the same Clodflare DNS account, so with the same API Key the certificate renewed updating both dns.

For administrative reasons, the both domains will be separated in 2 CF accounts, then I need to validate 1 certificate with 2 Api keys, 1 for each domain.
Is this feasible or I need to split the cerfiticate and get 1 certificate by each domain?

Thx in advance

1 Like

It depends on your ACME client. Which one are you using?

Let’s Encrypt doesn’t know how you make DNS changes.

1 Like

HI @mnordhoff
Thx for your fast response.
Until now I use certbot with --dns-cloudflare --dns-cloudflare-credential --dns-cloudflare-propagation-seconds 120
But I can chage the client if needed.
Having only one certificate to deal with it, is much more easy than deal with 2.
cerbot version is 1.0.0 installed as a rpm package from epel repo in a centos 7

1 Like


Cloudflare made some changes rather recently (I mean, in the last year). By “separating to two accounts”, what account do you mean (the email account, or the actual account in cloudflare). Because now there’s a possibility that you can put two domains in two separate Cloudflare account and still accessible with one API key (with your email account)

If you setup the two account in this way, the two domain will belong to two separate account (Cloudflare), but you’ll also be able to access the domains with the same API key.

Thank you

1 Like

Hi @stevenzhu
For now I have only 1 CF acount with these 2 domains. I´m asking before we split in 2 CF accounts.
The split is planed for administrative purposes ( separate domain register billing), but still not done.
So if I have 1 member in both accounts, can I update both dns with 1 api key?

EDIT: I can see… Having a common user in both accounts and create and api token for edit both dns… I will try that a let you know. Thx.


This solution works.
The api token must be configured with:
Account Settings Read
All Zones Zone:Read DNS: Edit

I have no tested it with a more restrictive config as per cerbot documentation:
" However, due to some shortcomings in Cloudflare’s implementation of Tokens, Tokens created for Certbot currently require Zone:Zone:Read and Zone:DNS:Edit permissions for all zones in your account"


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.