Multiple authorization policies for one cert?


I want to get a certificate that covers *,, and

However, the wildcard cert requires a DNS challenge, and the cert has to be done as a http-challenge or similar since I can’t modify the DNS (but it is pointed at my host). Is this possible?

I can’t figure out how to get certbot to use multiple different types of challenges for different domains on the same certificate.


I think Certbot currently doesn’t support different challenge types on the same cert, although one could probably write a plugin to do so.

My recommended approach would be to get two certificates: One for and *, and the other for You can serve both on the same web server using virtual hosts.

#3 will support multiple validation modes (

but i would take @jsha’s advice and use two certs. unless you’ll be spending the summer in claremont, you’ll probably need two certs in 90 days when you renew and don’t have a box on mudd’s network.


The practical problem that I think you’re alluding to is that it only supports one plugin per cert; a plugin can support as many challenge types as it chooses to, but we don’t have any existing plugins that directly support both DNS-01 and HTTP-01.

The exception to this is that --manual can do it. In particular if you use --manual --preferred-challenges http with a mixed wildcard and non-wildcard request, it should attempt to use DNS-01 for the wildcard (because the CA insists on it) and HTTP-01 for the non-wildcard (because the user prefers that). The disadvantage here is that the challenges probably would be satisfied manually by the user and automated renewal wouldn’t be available. However, writing an authenticator hook script could automate this process if you have the ability to perform tasks to satisfy both challenge types from your own script.

This is definitely a bit of a nuisance, but it’s an existing option with Certbot.


Okay, true you could do it with --manual and hooks. But as you say, that would be super messy (and probably brittle). In most cases on cert per name is ideal anyhow, so you don’t block renewals of all the names when one name becomes unavailable (as @jvanasco mentions :slight_smile: ).


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.