Enable SSL for subdomain on another host

I transferred one of the subdomains of the main site to another server.
Main domain: khoshpaz.ir IP :
Sub domain: lordegan.khoshpaz.ir IP:
But when I request SSL for subdomain, I get a 400 error.
How do I fix this?
I use Plesk

Error Content:
Could not issue an SSL/TLS certificate for lordegan.khoshpaz.ir

Could not issue a Let’s Encrypt SSL/TLS certificate for lordegan.khoshpaz.ir . Authorization for the domain failed.

Invalid response from https://acme-v02.api.letsencrypt.org/acme/authz-v3/4194331668.


Type: urn:ietf:params:acme:error:dns

Status: 400

Detail: During secondary validation: DNS problem: query timed out looking up A for lordegan.khoshpaz.ir

1 Like

Hi @srostam

if you have the “During secondary validation” error: First read

So the main Letsencrypt servers are able to check your domain. The secondary servers may be blocked.

Checking your subdomain - https://check-your-website.server-daten.de/?q=lordegan.khoshpaz.ir there are some minor name server problems visible.

Checking your main domain that doesn’t look good - https://check-your-website.server-daten.de/?q=khoshpaz.ir

One ip address with your website and both of your name servers - ns1.khoshpaz.ir + ns2.khoshpaz.ir - Normally, name servers should have different ip addresses.

May be there is a regional firewall, so the secondary servers are blocked.

And there is a new certificate of your subdomain:

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2020-04-22 2020-07-21 lordegan.khoshpaz.ir, www.lordegan.khoshpaz.ir - 2 entries duplicate nr. 1

Created 2020-04-22. Isn’t it possible to use that?

1 Like

Thank you
I removed the subdomain host and then transferred the information to the new host
I have backup information. If I restore the backup, can I use the previous SSL?

I don’t know the content of your backup.

Apologies for hijacking your thread. I have setup private LAN certificate authorities long before LetsEncrypt came along. Noticed there is subdomain and wildcard functionality of some kind and wondering what the restrictions? Can you now have LetsEncrypt issue you a certificate to mydomain.example.com such that you can become an intermediate or less CA for all machines underneath mydomain.example.com? Could LinuxBox35.mydomain.example.com have a certificate that chains up thru my own CA and on upto LetsEncrypt as the root CA?

No, that is and will never be possible. All certificates issued by Let’s Encrypt are end leaf certificates without any possibility of signing other certificates.

You could however issue a certificate with *.mydomain.example.com if you’ve got DNS access to that zone.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.