moonlit.no (normal apache server, certbot works fine)
foo.moonlit.no (new proprietary server I'm trying to get a cert for)
I'm not able to do the DNS-01 challenge reliably so a wildcard cert is out of the question.
And, since I don't have a reverseproxy in front of foo.moonlit.no I can't intercept requests to /.acme-challenge.
is there any way for me to obtain a certificate with SANs for both moonlit.no and foo.moonlit.no by ONLY completing HTTP-01 for moonlit.no?
I'm sensing you're asking this because you want both hostnames in a single certificate, am I right? Because in that case, you'd also need to securely transfer the certificate and private key from server A to server B somehow.
Maybe it's just easier to get two certs, one for both servers? Usually I don't recommend such a thing, as it would increase the load on the Let's Encrypt servers hugely if everybody would get single certs for just one hostname, but it is a viable option.
Also, you don't need a reverse proxy in front of foo.moonlit.no: you could also add a redirect on foo.moonlit.no for just/.well-known/acme-challenge/ to moonlit.no: the Let's Encrypt validation server would follow that redirect without an issue and the request would end up at your server 1. You'd have to securely transfer that certificate to your second server somehow tho like I said before.
The two servers have access to the same fileshare so I could easily add a line to the post-hook-script to copy it after I converted it to .pfx.
I can't make any changes to it like add a redirect, I can only tell it which file to load the cert from.
Although that does give me an idea for a workaround - host foo.moonlit.no on another webserver and redirect everything except /.well-known/acme-challenge/.
Just after I made the post I realized I had a real webserver on another port on foo, so I worked around it by using that server for the HTTP-01. I'd rather use the server I had originally planned on, but it's good enough that way
You mentioned that you can't do a wildcard cert because you can't do DNS validation. For DNS validation to work all you need to be able to do is point a couple of CNAME records for _acme-challenge.moonlit.no and _acme-challeng.foo.moonlit.no to a DNS zone that you control (then you can update that instead), or you can use acme-dns which is roughly the same thing.
Http validation is great when you control all of the http configuration and firewalls, but in complex scenarios DNS validation is genuinely much easier.
jvanasco, it is complex but I need to publish both an isolated shellinabox instance for guest shells, a normal webserver for myself, and a plex server, all on separate OS-es.
I thought it might be useful for others if I managed to get a clear answer to whether a successful HTTP-01 challenge for a top-level domain could result in a certificate with subdomains added to the cert in addition to the TLD. It can't, and for good reason.
webprofusion, I don't want to complicate my set-up further by using DNS-01 so I'm happy now
