Multiple subdomains on different servers


I’ve got a general question:

I have two servers (let’s call them A and B) and one domain example.tld with several subdomains. Some subdomains point to server A, the others to server B. The domain itself points to server A.

If I generate a certificate on server A with -d example.tld,sub1.example.tld, I get one certificate with


If I’d generate a certificate on server B, I could not use example.tld in the domain list, as it does point to server A.

Is is somehow possible to generate a certificate for sub2.example.tld on server B that also has example.tld as CN?

Or should I rather redirect requests to sub2.example.tld/.well-known/ to example.tld/.well-known/, generate the certificate on server A and copy it over to server B?

Is there a specific reason you want the “bare” domain name included in the cert for server B?

Well, all these subdomains belong together under the domain example.tld. Therefore it just feels right, to have the domain as CN.

I’m new to SSL Certificates, at least to using them in practice. And as I’m a bit of a perfectionist, I’d like to do everything as “right” as possible.

I have absolutely no experience when it comes to SSL certificates. The approach I asked about is just something that I thought would be sensible.

Another setup I can imagine is, that each of the servers has a name, and there exists a dedicated subdomain for each server with that exact name: a.example.tld and b.example.tld. And that I use these as the CN for the certificates by using -d a.example.tld,example.tld,sub1.example.tld for server A and -d b.example.tld,sub2.example.tld for server B.

That way the CN would indicate which server the certificate belongs to.

I’m just wondering what’s the best practice to deal with multiple domains, spread over multiple servers.

I'll leave the aesthetics of certificates to you :wink: No opinion here.

Depends, do you have easy access to the authoritative DNS zone from both servers? For example, through an API. Or are you going to use a webroot plugin?

DNS would be the easiest, if an API exists. Just run your client on both servers for the FQDNs you want and the DNS plugin/API would take care of the challenge.

If you choose a webroot plugin for the http-01 challenge, it's possible to "dedicate" one server (e.g. server "A") for getting the certificates and redirect requests for /.well-known/acme-challenge/ on server "B" to server "A" for the FQDN's for server "B". The advantage is the Let's Encrypt client runs only on server "A", perhaps more managable. The disadvantage is, you'll need to transfer the private key and certificate for server "B" from server "A" to "B" in a secure manner. Shouldn't be too hard though with some scripting.

GetSSL will do this for you if you have SSH or FTP access between the servers.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.