Adding new domain name to the existing certificate

Hi community, I have created a new project "". It is same like where a user can create their own website. So When a user adds new domain name on the platform then a user has to create a Cname record in his DNS settings on his domain name provider and then his domain name can successfully point to "" easily but the problem is that I am not able to provide the ssl certificate to the user's domain name because it is not in my control. Can someone please tell me that how can I do it?

I ran this command: certbot certonly --dns-digitalocean --dns-digitalocean-credentials ~/.secret/digitalocean.ini -d -d '*' -d -d

It produced this output: Encountered exception during recovery: certbot.errors.PluginError: Unable to determine base domain for using names: ['', '', 'com'].
Unable to determine base domain for using names: ['', '', 'com'].

Thanks in advance
Anurag soni
Founder and core developer of

You will most likely want to have separate certificates for each of your customers. This will simplify adding and removing customer domains.

Your first certificate and * can be obtained using the DigitalOcean plugin, just as before.

Then for each customer domain, you can use something like the webroot plugin to perform the HTTP challenge:

certbot certonly -d -d --webroot -w /path/to/userdomain/webroot/

You will also need to organize your webserver configuration to serve the appropriate certificate based on the domain being visited.

There's some relevant advice about all of this here as well: Integration Guide - Let's Encrypt


Thanks for your response @_az
Actually the problem is that my platform does not control my users nameservers, I just use Txt record to verify there domain and Cname to point to my "" domain. That is why I can not obtain the ssl certificate for their domain name.

I wonder how blogger do it.

By the way If I tell my customer to add NS records on there domain name then how will I verify there domain name because there DNS records will be disabled by the company(Godaddy etc.) and I will not be able to verify Txt record.

1 Like

Yes, you would not be able to perform DNS-01 authentications against their domains; As you do not control their domain DNS [nor should you ever].
But, since all HTTP requests will follow the CNAMEs and thus reach your IP, you can use HTTP-01 authentication to validate the challenge requests for their FQDN at your IP [and obtain an LE cert for them].


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.