Already have a cert for our domain name but need one for an internal server

Hi All,

I already have LE cert for a few servers created by someone else and now I need a new cert for an internal non public facing server.

Is there any instructions on how to do this please, we already have cert bot running on the public facing server but not sure how to add sub domains.


Hi @playford,

Let’s Encrypt can issue certificates for non-public-facing servers, but they usually have to be validated by the DNS-01 method, which involves making changes to your DNS zone file to confirm your control over the domain name.

The other validation methods require making an inbound connection to the server, which is normally not possible for

In Certbot it’s current not very practical to combine different validation methods or challenge types within the same certificate, even though the ACME protocol and the CA support it. So you might want to make a new, additional certificate for the non-public-facing service.

With Certbot, you can do this using certbot certonly --manual --preferred-challenges dns-01 -d, which will prompt you with the DNS challenges to make and then ask you to confirm when you’ve made them. Note that a certificate obtained this way cannot be renewed with certbot renew, which isn’t capable of pausing for human input. It must be renewed by re-running the certonly command that was used to obtain it.

You might also want to consider a client like, which has excellent support for various DNS provider APIs which may be available to update DNS zones.

Certbot is also getting better in this area. There is also an option for you to provide a script to Certbot to make the DNS changes; if you do that, then you can once again use certbot renew for an unattended/automated renewal of such a certificate.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.