Different challenge per domain


I would like to create a certificate for the domains *.example.org, example.com and example.net.

As *.example.org is a wildcard domain, it needs to be verified with the dns challenge.

However, I would like to verify example.com and example.net with the http challenge.

Is this possible with letsencrypt?
It seems like most clients (I am using dehydrated) do not support using different challenge types per domain. Would you know of a client that supports this?

Best regards

Not with one single request; as each request must be of one specific type.
But... with a little patience and logic, you can get them on the same cert.
Step #1: Obtain a cert for the HTTP challenged names - these auths will be cached (up to 30 days).
Step #2: Delete that cert - not needed, only cached auths are needed.
Step #3: Obtain a cert for all names via DNS - the cached auths should be skipped and only the wildcard would be challenged.
[not very elegant - but it can be automated]


Redesign your vhost configs so that the wildcard cert is used in a separate server block.
If so, then you might be able to use all names via multiple certs (and blocks).
[presuming the whole reason for getting a single cert is that you are using a single block]
In this case:
Step #1: Obtain a cert for the HTTP challenged names
Step #2: Obtain a cert for wildcard names via DNS

I'm not seeing this limitation in RFC 8555? The section about "orders" never specifies that each authorization for that order has the same challenge type? This might be a limitation of certbot, but as far as I can tell, it's not a limitation of the ACME RFC.

1 Like

OK, so the challenge is to find the ACME clients that do support mixed authentication types.
[that would be the ideal solution]

1 Like

Or develop the support for certbot yourself :laughing: It's open source after all!


Posh-ACME is one that does and works just fine cross-platform if you're willing to install PowerShell.


Hmm, I actually would have thought that most clients supported doing different domains with different challenges. Even if one would do them all with DNS-01 it wouldn't be that unusual for the domains to be using different DNS providers.

I'm pretty sure acme.sh supports it (See their How to issue a cert page, section 3 "Multiple domains, SAN mode, Hybrid mode").

Dehydrated gives a little bit of guidance on how to hack it to use multiple hooks; so it might be possible with that client too: Example: Using multiple hooks

I suspect many could be coaxed to do it somehow, though you might need to write a custom plugin or the like. But usually if you're going to bother getting one domain through a DNS challenge, it may be just as easy to get the other domains that way too, just because you need to have the DNS automation set up anyway.

1 Like

It maybe doesn't help you currently but Certify The Web (https://certifytheweb.com) supports multiple authorization configurations per managed certificate, with domain matching rules so you can cluster authorization methods/API credentials as required. So yes, some clients definitely do support this :slight_smile:

We do have a Linux version in the works, but it's not ready yet unfortunately.

1 Like

It's definitely not possible with dehydrated, but it looks like acme.sh may support this. Thanks!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.