LE cert for subdomain with CNAME pointing to DDNS domain?

OK, my setup has a lot of moving parts so bear with me.

I’m currently hosting a private cloud service in an ubuntu server box in my house. Since my public IP is dynamic i got myself a DDNS domain from ducksdns so i could access my cloud service via that DDNS domain (i.e. “mynetwork.duckdns.org”). That part is already setup and working great.

I then installed certbot in the Ubuntu box to obtain, install and renew a let’s encrypt certificate for my private cloud system which uses apache. That part is also up and running great.

This cloud service is actually for my small company which creates a problem for me when I share anything from my cloud service since the URL that is being produced is something like https://mynetwork.duckdns.org/something-something which is just unprofessional.

To solve this, and since my company has it’s own domain, I create a subdomain (i.e. “cloud.mycompany.com) and point it to my duchdns domain via a CNAME record entry. That part is working great as well.

But, if i access my cloud service via my subdomain i get a certificate warning saying that the url used to access the webpage (“cloud.mycompany.com”) doesn’t match the url of the SSL certificate (“mynetwork.duckdns.org”).

This is where I’m getting stuck.
I thought that the solution was to install an SSL certificate for the subdomain. So, I went to hostgator (since they are the ones managing my domain and hosting my webpage), and install one of the free SSL that they offer and applied it to my subdomain.

Well, this produces the same result as before with the same warning as before. The webpage loads the certificate from the DDNS domain and completely ignores the one for the subdomain.

I then thought about using certbot in my ubuntu box to request a certificate for my hostgator subdomain, save the certificates localy and install it via the apache conf files. Well, this cannot be done as hostgator doesn’t have an API to update the TXT DNS records.

So, what is the proper way to implement a Let’s encrypt SSL certificate when we have a subdomain pointing to a DDNS service?

I’m sure I cannot be the only person in the world with this scenario.


If I'm following your setup, I believe you need to have certbot on your Ubuntu box request a cert for both your mynetwork.duckdns.org name and cloud.mycompany.com. Since the cloud name is a CNAME pointing to your DDNS name, things should just work that same way the work for just the DDNS name.


I agree with @rmbolger's assessment. One extra caveat: you'll need to make sure your private cloud config also recognizes its name as cloud.mycompany.com. You may in fact prefer to make cloud.mycompany.com the only hostname recognized by your private cloud, and the only name on your certificate. The mynetwork.duckdns.org hostname would exist solely as a target for the CNAME.


@rmbolger and @jsha Thank you so much for the replies. I tried your suggestions by installing the certificates that hostgator created for cloud.mycompany.com and it worked (right after configuring the apache conf files properly as pointed by @jsha).

I tried to obtain a certificate for cloud.mycompany.com myself but I just couldn't find a way of doing it. The two validation methods available are DNS or HTTP. Hostgator doesn't have a DNS api, so I couldn't use that, and I'm behind a pfSense firewall that blocks all incoming traffic making HTTP not an option for me.

I looked into adding a firewall rule to allow the HTTP method but the developers of pfSense indicated that they cannot add such rule if they don't know who exactly will try penetrate the firewall in order to add the html file via port 80 as required for HTTP validation. They said that for security purposes Let's encrypt doesn't publish such information to avoid potential forgery (which makes sense after they explained to me).

In any event, i cannot create the certificates myself so I'm left with using the certificates that hostgator automatically creates for cloud.mycompany.com which are also "let's Encrypt" certificates.

Now, i just need to figure out a way for my server to automatically download such certificates from hostgator before they expire. I may be able to do it with some Bash script magic but that would be a topic for another forum.

Thanks again for pointing me in the right direction.

1 Like

I think you got bad info. You don't need the Let's Encrypt IP addresses to setup a port forward in pfSense. You just create a rule that has * as the source address like this:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.