Is it possible to have a second Letsencrypt Certificate for the same Domain

I have a question regarding domain with Letsencrypt Certs which we want to put behind Akamai.

Is it possible to have a second Letsencrypt Certificate for the same Domain ?
If it's possible are there restriction on domain validation (HTTP token / DNS token / URL redirect), like the idea is there will be a single domain but that domain is mapped with different ips (which will route on geolocation basis) , or is there any limitation on cert creation for the same domain? I am using lets-encrypt prod issuer for issuing certs, cause looks like the certificate creation is failing for the second deployment.

Best practice is to have as few certificates as possible, and no more than one certificate with the same set of names.

Having said that, you can have as many certificates as the Rate Limits allow. Particularly these:

The main limit is Certificates per Registered Domain (50 per week)

Duplicate Certificate limit of 5 per week.


You may need to use the DNS Challenge.

For HTTP Challenge the Let's Encrypt server needs to see the challenge token returned to it. When you have multiple servers that could respond then each must be able to reply to the LE server with the correct token. This is often difficult to coordinate with an ACME Client. The Let's Encrypt servers are in various places around the world so may be affected by your IP geolocation routing.

Can you map the HTTP challenge to the same server regardless of geolocation? That is, can you map all URI of /.well-known/acme-challenge/ to the server where your ACME Client has setup the HTTP Challenge? Then, just copy the resulting cert to the other server.

It is difficult to be more specific without more specifics from you


And if you share the single cert, the number of servers that can use it are only limited by your wallet [your ability to create servers throughout the Internet that will resolve that same name to distinct IPs].

You will have to play some DNS tricks to force the HTTP ACME challenge requests to only point to a single renewal server to ensure it can be renewed easily.


Thanks for the Quick response,

So I have Deployed everything in Gke which are regional clusters (us-cental-1, us-east-2) , so let's say i have 2 gke cluster deployed and in both gke cluster application is deployed and i am using cert-manager and all, like typical deployment for renew of certificates and all with nginx ingress as ultimately Ips for this will be mapped to the domain. so if i understand the question about ACME ,So from where ever Let's Encrypt server is verifying that token that relevent ip will be resolved for that particular URI based on location of the let's encrypt server, correct?, so ideally it should be able to resolve to the IP and issue the certificate for both the URLs, Until the Limit for 5 certs per week is reached right?

If I were handling your system, I would choose one of two options:

1- Use the DNS-01 challenge with the acme_challenge DNS record delegated to an acme-dns instance. Run your acme-client in your office, and have a script install the certificates on all your geographic locations.

2- Use a webserver/load-balancer that supports cloud storage of certificates.

A variant on this is to do a 302 redirect on /acme-challenge from all your different domains onto a single dedicated domain/machine that will run the ACME client.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.