Create certificate for domain contain alot of subdomain

If i have Domain xxxx.co.uk and this domain contain some subdomains like
A1.xxxx.co.uk , B1.xxxx.co.uk, C1.xxxx.co.uk, .....
how can i create this cert ? via below command, right?

certbot certonly -d "*.xxxx.co.uk" -d xxxx.co.uk

Hello @amna

that creates a wildcard-certificate with two entries - *.xxx.co.uk and xxx.co.uk

Do you want this or do you want 10 explicit certificates

a1.xxx.co.uk
b1.xxx.co.uk

There are different options with different consequences to use the certificate.

Hi @JuergenAuer ,
thanks alot for your quick replay, as far as i know one certificate contain 100 names. i’d like to know how to create certificate for main domain xxxx.co.uk so i can create certificate to sub domain as name under main domain setificate not a new certificate?

my question with anther meaning?

  1. if i want to create wildcard certificate, should i put all sub-domains or can i put *
  2. if i should add all sub-domains, if i want to add new sub-domain after first creation, this will consider new cert or will consider sub cert for main domain
  1. You can create a certificate with *.example.com and example.com. So you need not to list all subdomains in one certificate.

  2. You would need a new certificate with this name.

I am using also a *.example.com - certificate. It's easy, I can add a new subdomain, I don't need to create a new certificate.

But: Wildcard-certificates require ACME-v2, available since ~~ 03 / 2018. So check if your certbot is updated. And: dns-01 is required, so you have to add two dns-entries with the same name _acme-challenge, one with the *-hash, one with the hash of example.com

Hi JuergenAuer,
how to set DNs entry to *.example.com and exmaple.com. sorry for my bad question but in my case every vhost may be point to different ip for example
A1.example.com locat on server1 so in DNS entry A1.exapmle.com point to server1_IP
A2.example.com locat on server2 so in DNS entry A2.exapmle.com point to server2_IP
A3.example.com locat on server3 so in DNS entry A3.exapmle.com point to server3_IP
A4.example.com locat on server4 so in DNS entry A4.exapmle.com point to server4_IP
A5.example.com locat on server5 so in DNS entry A5.exapmle.com point to server5_IP

and so on …

The IP-addresses of your subdomains are irrelevant.

If you want to get a *.example.com + example.com - certificate (with two alternate names), you have to create two txt-entries.

_acme-challenge.example.com

with two different values.

Depending on your DNS-hoster, you may only create two entries

_acme-challenge

because the .example.com is added automatic. And the two values - Certbot may show these.

First use the staging system and create a certificate *.example.com (without example.com).

sorry didn’t get your point, can you plz provide me example

Use your first command. But use the test/stage-system. There is a Certbot-option to use the testsystem, but I don't use certbot.

@JuergenAuer
Let me clarify what i understood, i can install wildcard certificate by the one of the below
Option 1
git clone https://github.com/Neilpang/acme.sh.git
cd ./acme.sh
./acme.sh --install
acme.sh --issue -d *.example.com --dns --force (during run this step will show me message to set DNS entry, should i set as below or should i put IP of server " i can’t put specific IP as each vhost point to different IP server"
TXT record _acme-challenge
value : “…” )

Option2
certbot -d *.example.com
–manual
–preferred-challenges
dns certonly
–server https://acme-v02.api.letsencrypt.org/directory
(during run this step will show me message to set DNS entry, should i set as below or should i put IP of server " i can’t put specific IP as each vhost point to different IP server"
TXT record _acme-challenge
value : “…” )

please confirm if this is correct specially DNS entry part

I don't understand this. DNS - txt-entries don't use the ip-address.

And there is no global way, that depends of your dns-provider. My dns-provider has a menu (grouped by domain).

This creates a valid entry for _acme-challenge.mydomain.de

Hi @JuergenAuer,
i have used the below command to issue the wildcard certificate and set txt DNS entry for this domain
./acme.sh --issue -d *.example.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please

Now i want to set the ssl vhost for each domain but i am not sure how?, as far as i know i should do the below

  1. copy csr, key.chain to server1,server2,server3,… (any servers that i have vhost with domain *.example.com) then configure ssl vhost file.
    " should i copy certificate from the server that i have installed acme.sh in or should i install acme.sh in all servers"

Another questions related to renew:
can i renew wildcard certificate via the below cron job
./acme.sh --issue -d *.example.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please --renew --force

That depends on your server software.

I don't use acme.sh and don't know the options.

No, because it will require manual interaction each time. And you don't want --force in a cron job, as you'll blow the rate limits pretty quickly.

1 Like

@danb35
what do you mean manual interaction? you mean every time that i renew certificate, i should change txt DNS entry

Every time you renew the certificate, you have to change the TXT entry.

(Unless you have validated the name recently, but then you'd have no reason to renew.)

What @mnordhoff said, and that you'll have to do it manually. And you're (incorrectly, apparently) telling acme.sh you understand that when you use the "--yes-I-know-dns-manual-mode-enough-go-ahead-please" flag. If you want automatic renewal (which you should), you need to be using a DNS host with a supported API so that the TXT records can be updated by the script.

@danb35
thanks alot for your reply so i should enable api call for DNS host( i use godaddy " godaddy API" ) then write script to automatic change txt record

If you're using Godaddy for your DNS, you don't need to write anything; acme.sh already supports the Godaddy API:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.