I want to clean up this mess

My domain is:


and a look at this : Lets debug output. shows a complete mess

I used presumably different accounts and want to replace this all with wildcard certificate *.klamann-service.de , verified by dns.

What is the best method to do this ? Could a dns-verified certificate exist in parallel to the specific ones ?? How and when can I retire the old ones ?

I searched around but fond no document which seems to apply. Pointers are most welcome.

Thanks for your time


I don't know if it helps to judge things so harshly :laughing:. There's nothing wrong with having a lot of different certificates if you have a lot of different domains.

The only thing that looks weird there is the multiple certificates for karpaten.klamann-service.de. Maybe you have some duplicates on your system, maybe you just renewed them a few times.

I think some context for your question would help get answers:

  1. Are these certificates all used on a single server?
  2. What ACME client did you use to get them? e.g. Certbot.
  3. Who is your DNS host/who runs ns1.first-ns.de? You will need a DNS host that supports programmatic updates if you want to make use of a wildcard certificate.
1 Like

The certificates are on different servers. 'klamann-service.,de' is used for all kind of back-office stuff , gitea instances and stuff like that. The servers itself are placed in different VMs.

My problem are not the certificates a such, but I have different mail addresses and - presumably - different accounts in them. I want to streamline that.

Normally I don't want to open port 80 and My DNS is hosted at hetzner, so certbot-dns-hetzner · PyPI should help .

I use nowadays certbot , but tried different things in the past,

My idea was that I request a *.klamann-service.de certificate and reference it again and again. Thinking about ist I presume that nevertheless each server must renew its 'own' ceritificates. Or do I have to copy one certificate to all servers ?

It's typical to have different ACME accounts on different servers (unless you have a rate limit exemption, then you usually need to use the same account everywhere).

You can update the email address of each account to the same address. It's just contact information, not a "username".



Renewed certificates are just new certificates with an updated expiry date.

Each place where you use a certificate must have some strategy for obtaining a new certificate at renewal time.

You could have one server which renews the certificate, and distributes it to the other servers at each renewal, using a Certbot --deploy-hook or something similar.

As you can imagine, this complicates life. You now have extra problems to solve: how to implement this synchronization process, how to make sure it is resilient if a server is down, etc.

Having each server issue its own independent certificate is simple and it works, even if having many certificates isn't the neatest thing.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.