Clarification about wildcards and ip addresses


Usually I issue one cert for each subdomain.

I was thinking about issuing a wildcard for one of my domain, but I have one question:
say I have one main domain with two subdomains and Each subdomain is set on a unique server with unique ip address (say server one and two).

I go for the * wildcard, which is gonna be issued by server one, then I have to manually install certs also for server two, is that right?
And then, at renewal, do I have to do the same thing?
Otherwise the domain two would have an expired cert, is that correct?

If so, I should then automate the process to “copy” the renewed cert to server two each time it is updated.


Yes, you seem to understand it perfectly.

Most ACME clients provide some way to perform an action (like copy) after a certificate is issued. With Certbot, it’s --deploy-hook.


You could also install an ACME client on each server and maintain two different wildcard certificates.

(Let’s Encrypt has a duplicate certificate rate limit of 5 per week.)

You could also use a non-wildcard certificate on one or both servers.



@_az’s solution seems to be the easiest for my knowledge