ERR_CERT_COMMON_NAME_INVALID for Subdomain in different server

Why does generated certificate for a subdomain show ERR_CERT_COMMON_NAME_INVALID error in browser when the root domain is in other server, and only works when i include the subdomain in another domain's certificate.

So certificate for in server B, but is in server A, shows the error, is normal.
But certificate for, in server B works.

Server is Apache (both A & B)

Command used:
certbot certonly --cert-name -d

Config check OK, certificate generated in /etc/letsencrypt/live/

The issue will be that on server B you used a slightly different command when you first got your certificates, and you included all the required names. Try typing history to get a list of all commands you have recently run to see what you ran last time.

You can "expand" the list of domains to include on your certificate using certbot --expand -d,,

Why do two servers have certificates for the same domains? Are you loading balancing the site between two servers?

Server A hosts the root domain
Server B hosts totally different site but i want to use subdomain of which is
No load balancing though.

Do i have to include in Server B? certbot certonly --cert-name -d -d -d

Yeah probably when installing the root cert in Server A i used a different command.

By the way, is the certificate generated for multiple different domains (, legit? because when i go to, browser shows certificate is for, but otherwise no error.

Different servers running different services (via different subdomains) don't need to share any certificate information. No, server B running doesn't need to include in it's cert.

So you can have one server running and a completely different one running, with completely independent certificates. Or, they could be hosted on the same machine with one cert covering both names, up to you.

So the fact that something is a subdomain of something else pretty much doesn't matter, you can treat them separately.

Assuming you are using http validation, each domain requires validation, which requires each server to respond with a very specific challenge response each time you renew the cert, so a server will generally only renew it's own certs for the name(s) it uses.

Some browsers (chrome) treat and as valid even if the cert is just for (I think). Other browsers will say invalid name if you try to deviate at all from exactly what's on the certificate. A Let's Encrypt certificate can include up to 100 domains and subdomains in one cert.

You can also create wildcard certs * which cover any subdomain 1 level deep, but you need to use DNS validation instead of http validation for that.

1 Like

In server B i noticed the subdomain was included in's cert, so i tried to separate them by removing from with certbot certonly --cert-name -d -d

then creating new certonly for with certbot certonly --cert-name -d, but it isn't getting used (hence the chrome error).

According to history, i used certbot --apache in Server A with only &

So, should i just try to separate the from again, and then use certbot --apache to renew all my domains in server B?

If i certbot certificates:, --> this one wasn't used even if i removed from

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.