Clarification about wildcards and ip addresses


#1

Hi!
Usually I issue one cert for each subdomain.

I was thinking about issuing a wildcard for one of my domain, but I have one question:
say I have one main domain example.com with two subdomains one.example.com and two.example.com. Each subdomain is set on a unique server with unique ip address (say server one and two).

I go for the *.example.com wildcard, which is gonna be issued by server one, then I have to manually install certs also for server two, is that right?
And then, at renewal, do I have to do the same thing?
Otherwise the domain two would have an expired cert, is that correct?

If so, I should then automate the process to “copy” the renewed cert to server two each time it is updated.


#2

Yes, you seem to understand it perfectly.

Most ACME clients provide some way to perform an action (like copy) after a certificate is issued. With Certbot, it’s --deploy-hook.


#3

You could also install an ACME client on each server and maintain two different wildcard certificates.

(Let’s Encrypt has a duplicate certificate rate limit of 5 per week.)

You could also use a non-wildcard certificate on one or both servers.


#4

thanks

@_az’s solution seems to be the easiest for my knowledge


closed #5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.