Let's Encrypt on 2 servers

We have a domain hosted on a server, except the Web that points to an external server through an A record in the DNS.

How could we implement Let's Encrypt Certificate if on one of the servers the root domain points to the external one?

There are two general options:

  1. Copy the Certificate from the Server on the Public Internet to the server on the Private Intranet.
  2. Use the DNS-01 Challenge, on any computer, to obtain a Certificate for the server on the Private Intranet.

Thanks for the reply jvanasco.

The two servers are connected to the internet, but have different IPs. In DNS, the root domain has IP X (of the web server) and the subdomains have IP Y (the other server, which has mail and so on). We set up Let's Encrypt through cPanel.

The problem we have is that the configurator does not allow creating a certificate without the root domain.

What "configurator"?


cPanel itself may or may not have what you need, so I will not speak to that, maybe there are some cPanel experts here who can help.

But if I understand what you're looking for, here are two options:

  1. Use the DNS-01 challenge from any "issuing" system, then deploy the the key+certificate pair to your web-host systems using configuration management.
  2. Issue two certificates. If your systems are well-behaved, then the default rate-limits provide plenty of room to issue extra certificates so both servers can manage their renewals independently, even for the same domains. This option will NOT scale well, but is fine for a small handful of certs/domains if it enables you to automate.

You will have to contact your vendor to address that problem.

It sounds like all the domains are on the public internet, but you have issues configuring them. You will need to work with your software or hosting vendor to handle that.

In your situation, most people would use one certificate on IP X to handle web hosting, and one or more certificates on IP Y for each service.

You may be able to find some success with this:

  • IP X- generate a certificate on this machine for your web hosting, only using the web domain(s) and the HTTP-01 or TLS-ALPN-01 challenge.
  • IP Y- generate a certificate on this machine for each of the subdomains that points to it, preferably using HTTP-01 or TLS-ALPN-01 challenges. If your system must have the top-level domain on the certificate, you can use the DNS-01 challenge to authorize a certificate on that machine without serving traffic on that domain.

Your DNS must be configured to either direct traffic to an IP to perform a challenge (HTTP-01, TLS-ALPN-01), or serve the challenge itself (DNS-01). LetsEncrypt and (most) ACME Clients do not care if a server is configured to serve traffic for a domain, all they care about is successfully completing a challenge via one of the three methods.


The solution I have found to this problem is to point the root domain to the mail server, make the certificates and then point the root domain to the web server. The only problem is that I thought that all the mail server certificates would fail when they were automatically renewed, but your answers make me think that each certificate is individual and only the root domain certificate will fail, which we do not need.

Thank you all for the answers

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.