Installing, DNS, subdomains..... help my spaghetti-entangled head

certbot version 1.12
Debian 10 - updated
Yes, SSH access
Apache 2.4.38-3+deb10u4 amd64

I'm trying to get SSL setup on a new server, and the plethora of options is getting foggy, since we don't exactly fit into the standard scenarios. Any guidance much appreciated!
Note: Any details below that provoke a "why on this planet would you do that" would generally be answered with "it's legacy, and I haven't gotten that far down the to-do list". :grin:

We host our own DNS. The PRIMARY domain [] is hosted off-campus, and uses a wildcard cert from GoDaddy. We host several SUBdomains here on campus [for example,]. There are several others - basically anything OTHER than Some already exist on this machine, others will be moved over when the time is right.

  • Why not just use the GoDaddy cert on our local machine? It's a pain. Can't be autorenewed, so once a year I have to go muck around the server. It's also $400, and we're a school. Eventually I hope to use LetsEncrypt for the primary site, but that can't happen this week.... or next.

There's the background.
What I've done so far [assuming I remember correctly]:

  • Installed pip3.
  • Using pip3, installed certbot and certbot-dns-standalone.
  • Had to upgrade cryptography [pip3 install -U cryptography].


  1. Do I try for a wildcard cert on this server, given we already have a wildcard cert for the main domain?
  2. or do I just install individual subdomain certs for each subdomain?
  3. What's the best/easiest procedure to make this happen?
  4. Any headache-avoidance strategies you can suggest?

Hopefully one day I can return the favor

1 Like

Hi @MDStech

  1. you can. The GoDaddy wildcard isn't relevant. You can create a single wildcard and deploy it to all of your machines. With dns validation.

  2. You can too. Do you have 10 - 30 subdomains? Or more then 50? More then 50 - check the rate limit page. Non-wildcard -> http validation is possible, but if you have a working dns update, you can use dns validation.

Choose a solution and start with the first subdomain.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.