How are virtual host domains validated?

Please fill out the fields below so we can help you better.

My domain is:

I ran this command:

It produced this output:

My operating system is (include version):

My web server is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

Hi @tbrowder I think something went wrong with your post. You might need to add some answers to the questions above…

Could you specify your question more specific? Because there currently are three (3) ways for Let’s Encrypt (LE) to validat a domain for issuing certificates, of which 1 is dependend and 2 are independend of the fact if a host is a virtual one or not:

  • dns-01 challenge: you put a specific TXT record (containing the ‘token’ for authorization) ‘below’ the domain you’d like to validate and LE checks this DNS-record. It proves you’ve got control over the FQDN. This challenge would be independend of the way a webserver provides its hosts, virtual or not;
  • tls-sni-01 challenge: the client generates a custom, not-for-general-use certificate with the ‘token’ as the domain name for that certificate and your webserver will provide this certificate when specifically asked by the LE server through SNI. This challenge would also be independend of virtual hosting or not;
  • http-01 challenge: you put a specific file containing the token in the /.well-known/acme-challenge/ dir under the (virtual) host (corresponding with the FQDN of which you would like a certificate) of your webserver and LE checks the existence and contents of this file. This would of course be dependend of the (virtual) host, but it should not matter if the host is “virtual” or not. Just as long as anybody can reach it publically…

Hi @tbrowder, are you wondering about how the ACME technology used by Let’s Encrypt works, or are you looking for advice for how to get a certificate for your own web site?

schoen Certbot engineer
February 8

Hi @tbrowder, are you
wondering about how the ACME technology used by Let's Encrypt works, or are
you looking for advice for how to get a certificate for your own web site?

Hi, Schoen.

I think I just found the answer I need. It looks like the dns method is
best for me to get a single cert for each of my several domains and
subdomains which move around on several servers occasionally. I'm going to
try the client to do that.

Best regards,


@schoen, I’ve changd my mind: I’m going to try the full auto route (Apache 2.4, Debian jessie, 64-bit). I currently use one cert per vhost and would like to continue that. From my looking at the docs it looks like I would need a separate run of certbot for each domain. Questions:

Will that work?

How is the output file named for and in the same cert?

Do I have control over my public/private key pair?

Will there be separate keys for each cert?



Typically it will be whichever one you specified first on the command line with -d, e.g. /etc/letsencrypt/live/ if you ran with certbot -d -d

In the sense of being the only one in possession of your private key? Yes, it's generated on your own machine by Certbot and never shared.

In the sense of being able to choose a private key of your choice? Currently this doesn't work in Certbot with automatic renewal. There is a way to specify a CSR on the command line if you generate it externally, which allows you to use a private key of your choice, but then Certbot will not be able to renew the certificate for you.

Yes, currently that's a requirement (unless you use the CSR approach I mentioned above). They will also currently change with each renewal. We have an issue and some work toward a new feature where you can keep the same key pair when renewing.

Thanks–very helpful!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.