Do I need 2 separate certificates for split DNS environment?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
I have not ran a command yet.

It produced this output:
My web server is (include version):

The operating system my web server runs on is (include version):
Windows Server 2016

My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

I have a split DNS environment (internal server DNS name is different than the external DNS name). If I install the client and generate a certificate i am assuming it will pull the FQDN (internal DNS name) which will not match the public facing name. Do I need 2 separate certificates or can I specify the name on the certificate to be the external name? I want the external DNS name to be on the certificate so that the applications we are hosting will resolve properly.

Your assumption is incorrect: the ACME client doesn't validate the FQDN, the (remote) Let's Encrypt validation server does. So it'll try to connect to the IP address resolved from the public, external DNS (http-01 or tls-alpn-01 challenges) or use the authorative DNS servers for validation (dns-01 challenge).


In addition to what @Osiris said, LetsEncrypt can only issue Certificates to the public internet / external DNS names. You can not get a Certificate from LetsEncrypt for the internal LAN names.


Unless you can publish the appropriate DNS TXT records to the public DNS zone associated with those names and the name is part of a real ICANN domain.


Well yes, you can map or remap them internally -- but the DNS records need to be externally/publicly verifiable.

Hi @mballinger and welcome to the LE community forum :slight_smile:

I presume the reason being that you are using the exact same set of FQDNs and simply want to return a different set of IPs from each zone.
[external IPs from external zone - internal IPs from internal zone]

That said, since you plan on requesting a wildcard cert, you will have to ensure the ACME client can update the actual DNS zone for the real Internet domain - OR process the request manually (NOT recommended).
So the first hurdle is using a DNS Service Provider (DSP) that supports zone updates via API.
The second hurdle is using an ACME client that has a plugin for that DSP.

Feel free to ask questions and/or for advice along the way.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.