At my house, I’ve got multiple servers behind my router.
- Port 6700: NAS (nas.domain.tld)
- Port 9898: Server 1 (server1.domain.tld)
- Port 8787: Server 2 (server2.domain.tld)
The NAS, Server 1, and Server 2 are all their own physical servers. Should I create certs for each of those individual servers, or should I create a single certificate and share it across all 3 servers manually?
Either way will work, so I’ll try and guide you along the process so you can decide which works better for you.
In order to issue Let’s Encrypt certificates, the requesting server must be able to prove ownership over all domains being requested. This can be done in one of three ways: By placing a specific text file in a specific location accessible via HTTP(S) GET, by reconfiguring the webserver to respond with a specific temporary certificate to requests to a specific SNI name, or by configuring a specific DNS TXT record. Note that the first two require access over external ports 80 and 443, respectively, but these can be re-mapped internally. That is, if your NAS is listening for incoming HTTP requests on 6700, and your router is forwarding requests on external port 80 to the NAS on port 6700, this is fine. If the router is also listening on 6700, this will be a problem.
So, if you run Certbot (or any other client of your choosing) on Server1, it would need the ability to respond to challenges for all three domains (, and also distribute the certificate and key to them.
However, if you ran Cerbot/other client on each individually, you could request three different certificates with only the domain name for the server they belong to and not have to worry about answering challenges for other servers, or transferring keys/certificates and whatnot.
The answer depends on unknown factors… Like:
- Required security level.
- Appliances ability to obtain LE certs.
If you are comfortable with having the same cert on all three devices, then once cert may simplify things.
If the individual appliances already have built-in menu driven options for obtaining LE certs then that choice seems simplest and obvious for that device.
If any devices don’t have an easy method then you may need an ACME client to help obtain the remaining.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.