Certs for domainname and subdomain

Hello all,

I have a domain with several subdomains. With the " A" and SRV records i foward the services to my homeserver, where a xmpp is running.

The domain is:
The subdomains are

I'am using nginx proxy manger to get the certificates, and that works well.
Cause de subdomains are public, they are exposed.
Is there a way to get one cert for the domain, witch i can use internaly for the subdomains?
In other words, i want to hide the subdomains.


Kind regards

1 Like

Is your domain really xmpp.com?

To hide subdomains the option would be to use a wildcard certificate. But that would require the dns-01 challenge, which is often/sometimes more difficult to implement. And as you're using nginx proxy manager, you're pretty much on your own figuring that out. That's because NPM isn't a very popular software application to debug here on this Community and I'm not familiar with any volunteer having much experience with it.

1 Like

Hi Osiris,

No it is not the right domain, just an example of it.
Bottom line is, that i want the subdomains not be exposed.
VIa NPM i get certs for all the domains. I've red some about wildcards, but i think i 'am to inexpierenced to implement that.

I need to make local domains as i now do at the hosting provider.
This is not a common ground for me.

Thank you for your answer,

1 Like

Please refrain from using real world domain names as examples. Please remove the currently used real world domain name and change to e.g. example.com, one of the IANA domain names reserved specially for thus purpose.

I'm not sure what you mean by that.


Can you clarify what you mean by "exposed"? If the server is just to be used on some internal network, then you can use the DNS-01 challenge (as previously stated, required for wildcards but can be used for non-wildcard names too), though the name would still be public. Or, you can try to configure some sort of firewalling that allows Let's Encrypt's validation servers through (by only opening when attempting renewal, or by allowing all requests for .well-known/acme-challenge) but blocks whatever you don't want to "expose".


Let me clarify.

I have a homelab, where i host a application that is calles ejabberd.
Ejabberd is a xmpp server. xmpp is a protocol that is also used by Whatsapp.
The server needs 5 subdomains.

I have a domain example.com and on the hoster i have 5 subdomains

domain: example.com
subdomain xmpp.example.com
subdomain upload.example.com
subdomain groups.example.com
With A and SRV records on the userpanel of the hoster, i have forward the services to my ipadress at home. Via NPM on port 80, i can get Letsencrypt certs.
What i try to accomplish, is that i want that my server can handle the subdomains.
For what i know i must use wildcards.

I don't want that those domains are visible by using dnsdumpster.

exposed means that subdomains are visible by using tools that enumerates subdomains. One tool is dnsdumpster to do this. I have not that knowledge of wildcards.

So, to answer Peter's question then ... You don't need to access the subdomain services from the public internet then? Because their IP will have to be in the public DNS to clients can find the IP. Or, use a DNS wildcard so any subdomain name resolves to the same IP.

Let's Encrypt is a public Certificate Authority (CA) so only issues certs for domain names in the public DNS. You can get a wildcard cert with just the base domain name and any subdomain. But, as noted that requires a DNS Challenge. Otherwise each name must have a public A and/or AAAA record so Let's Encrypt (or anyone) can locate the IP to connect to that domain


Which software/part of the server should handle the subdomains?
If NPM/nginx, then focus questions/research on that.
If Ejabberd, then focus your questions/research on that.


thank you.


After some search, i came up with this excellent video.
I hope this helps.

If i'm correct you can run subdomain within a local environment.
How to get certs for internal subdomains.

That is correct.

I hope you got what you needed. I am not going to watch a 25min video but if you have a specific question about Let's Encrypt certs let us know.


Hi Mike,

That is understandable.
I think it can serves me well as all the other folks on this forum.

Maybe, maybe not. We have seen numerous blogs and videos suggested by visitors here that had very poor instructions. Even some that were ridiculously wrong.

Maybe your video is fine. But without some expert review it's hard to know. I have often read blogs and such for review but a 25min video - forget it. I am a fast reader but not a fast watcher :slight_smile:

The simple answer is if you don't want your subdomain name known in the public DNS or the public Certificate Transparancy (CT) logs you have to use a wildcard cert. And, for that Let's Encrypt requires the DNS Challenge.

LE provides below which is sometimes helpful in a similar situation


YouTube has a feature to speed up the video :rofl:

It looks like the YT-video uses a combination of k8n and Docker by using Portainer and uses Traefik with the dns-01 challenge at the edge in combination with Pi-hole for split-horizon DNS.

I haven't seen the entire video, but doesn't sound too bad. However, IMO it sounds overly complicated for the setup in this thread.



What's clear to me is, that i must use a DNS-01 challenge, and there are methods for this.
In the video Cloudflare is used, some are using other providers.

Thank you :slight_smile:

Here is also a good read.
Wolgangs blog

1 Like