Certificate for just a subdomain

Hey is there a option to get a new certificate for just a sub domain?
Lets say my site runs on server A on example.com www.example.com and blog.example.com - the subdomain cloud.example.com points to server B. Is there a option with the certbot to get this setup running? I didn’t succeed.
Both server run on nginx.

Thanks anyway!

Hi @Gurkengewuerz, what did you try to do and how did it fail?

Are you trying to use server A to get the certificate that will ultimately be used on server B? Or are you using server B exclusively? Or did you want two different certificates, one for www.example.com and blog.example.com and the other only for cloud.example.com?

@schoen thank you for your answer.
On server A I used this command:
./certbot-auto certonly --standalone --email info@example.com --agree-tos --rsa-key-size 4096 -d example.com -d www.example.com -d blog.example.com
And on server B that command (here also runs a other full Domain, which fine):
./certbot-auto certonly --standalone --email info@example.com --agree-tos --rsa-key-size 4096 -d mydomain.tld -d www.mydomain.tld -d cloud.example.com

So both runs its own challenge.
Maybe I missed something.

Thank you for your help!

Edit: in /etc/letsencrypt/live/ is just mydomain.tld on Server B

@Gurkengewuerz, what you described should work fine; I can’t think of any problem with this. If you encountered a problem, I don’t think it’s related to the content of the certificates that you’re requesting. Maybe you can give us some more specific information about error messages you encountered?

1 Like

Based on what I think you want, just don’t specify a domain that the server can’t pass verification. That should mean for server B, just use “-d cloud.example.com” and drop the “-d www.example.com”. Assuming you pass the verification, you’ll get a certificate only for cloud.example.com.


Yes indeed, just request the certificate for the subdomain you want. So if you want a cert for only secure.mydomain.com then just request that one certificate. When you need a cert for another subdomain private.mydomain.com at a later date then request it when needed. My root domain spans across 4 Ubuntu servers, some run mail, some run web sites and each server has it’s own certbot installation and it’s own subdomain level certs. So I request those certs as follows

sudo ./certbot-auto certonly --agree-tos --rsa-key-size 4096 -m dnsadmin@mydomain.com -d secure.mydomain.com --renew-by-default

1 Like

Thanks all I will try I today. Is there a option to begin from the start? Could I just delete /etc/letsencrypt/live and submit a new one?

First back up /etc/letsencrypt/live before you try that. Are there currently certs in that folder?

Also add the --dry-run flag onto the end of the certbot command so you can see output / errors before you actually generate a cert.

@all Thanks for your help.
I Dont know what was wrong in the configuration. I backuped the full /etc/letsencrypt directory and started everything from new. Now it works fine :wink:

Thanks for your time.


Awesome glad it’s all working now, have fun :wink:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.