Can I combine --apache and --dns-cloudflare into a single certificate?

I currently have two certificates, my main certificate covers almost all my domains, generated with --dns-cloudflare

however, I also have a .TK domain, and Cloudflare has that TLD blacklisted from their API, so I had to generate a separate certificate for it using --apache

For convenience, I'd like to try to merge these methods into a single certificate, something like:

certbot certonly --rsa-key-size 4096 --must-staple --dns-cloudflare --dns-cloudflare-credentials ~/cloudflare.ini -d * -d --apache -d -d

Obviously it didn't work ("Too many flags setting configurators/installers/authenticators 'apache' -> 'dns-cloudflare'") but is there any possible way to make this work?

Let's Encrypt does support mixing and matching in this way, but I don't think the certbot client supports it.

Other clients do, for example what calls hybrid mode


It may be more convenient to have different certificates for different domain names in your case. Is there some specific problem you're having with just having certbot managing two different certificates? As stated, you would have to switch your ACME client to a different one, which may be worth it if this is important to you but might not be worth it if your system is currently working fine and it's just not aesthetically pleasing to you.


Nah, the two certificates are working fine, I was just hoping to clean up my Apache configuration a bit. I had to create an extra vhost for my .TK domain because it has to use the alternate certificate, whereas with a single certificate I could just let it hit my wildcard vhost that I use for most of my redirects.

Thanks all for the feedback. I might look into alternate clients if I ever get board enough.

Something else to consider: if you’re using the cert for both domains in the same place, you probably have both domains pointed at the same server. In which case you can use the HTTP challenge for both domains, and you don’t need to use two different means.

There are circumstances where that’s not appropriate, such as if one domain resolved to an internal IP address, so this advice may not be helpful.


Thanks for the input. There's still no possible way to do wildcards with HTTP challenge, right? That was the main reason I was doing DNS challenge for my primary certificate.

Also I usually have at least a few of my apex domains pointed somewhere other than my server (Github/Cloudflare Pages for example) but I want to include them in my server certificate anyway in case I need to point them back to my server in a hurry.

If Cloudflare didn't have .TK blacklisted from the API everything would be good... oh well

Thanks again

1 Like

Yeah, wildcards require DNS challenges. Sounds like you have pretty good reasons to do mixed challenge types.

1 Like