Can I skip HTTP-01 for subdomains if I can pass it for TLD?

Hi, ye gods!

I run two servers for which I need two certs:

  1. (normal apache server, certbot works fine)
  2. (new proprietary server I'm trying to get a cert for)

I'm not able to do the DNS-01 challenge reliably so a wildcard cert is out of the question.
And, since I don't have a reverseproxy in front of I can't intercept requests to /.acme-challenge.

is there any way for me to obtain a certificate with SANs for both and by ONLY completing HTTP-01 for

1 Like

Hi @Moonlit,

Unfortunately, No. In order to get a certificate with HTTP-01 challenge, you must pass the challenge for each host individually.

Thank you

1 Like

Thank you very much for the quick reply.

I can see why that is, I'll do a workaround. :slight_smile:

1 Like

I'm sensing you're asking this because you want both hostnames in a single certificate, am I right? Because in that case, you'd also need to securely transfer the certificate and private key from server A to server B somehow.

Maybe it's just easier to get two certs, one for both servers? Usually I don't recommend such a thing, as it would increase the load on the Let's Encrypt servers hugely if everybody would get single certs for just one hostname, but it is a viable option.

Also, you don't need a reverse proxy in front of you could also add a redirect on for just /.well-known/acme-challenge/ to the Let's Encrypt validation server would follow that redirect without an issue and the request would end up at your server 1. You'd have to securely transfer that certificate to your second server somehow tho like I said before.


This could have been in bold :wink:

1 Like

The two servers have access to the same fileshare so I could easily add a line to the post-hook-script to copy it after I converted it to .pfx.

I can't make any changes to it like add a redirect, I can only tell it which file to load the cert from.

Although that does give me an idea for a workaround - host on another webserver and redirect everything except /.well-known/acme-challenge/.

Just after I made the post I realized I had a real webserver on another port on foo, so I worked around it by using that server for the HTTP-01. I'd rather use the server I had originally planned on, but it's good enough that way :slight_smile:


This sounds like a ridiculously complex setup!

1 Like

You mentioned that you can't do a wildcard cert because you can't do DNS validation. For DNS validation to work all you need to be able to do is point a couple of CNAME records for and to a DNS zone that you control (then you can update that instead), or you can use acme-dns which is roughly the same thing.

Http validation is great when you control all of the http configuration and firewalls, but in complex scenarios DNS validation is genuinely much easier.

1 Like

jvanasco, it is complex but I need to publish both an isolated shellinabox instance for guest shells, a normal webserver for myself, and a plex server, all on separate OS-es.

I thought it might be useful for others if I managed to get a clear answer to whether a successful HTTP-01 challenge for a top-level domain could result in a certificate with subdomains added to the cert in addition to the TLD. It can't, and for good reason.

webprofusion, I don't want to complicate my set-up further by using DNS-01 so I'm happy now :slight_smile:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.