Newbie macOS + Server & DNS challenge & multiple domains


I’m a newbie planning to use letsencrypt for my macOS based services. Currently I’m using my own CA and distribute its root to the systems that need it. But I need a wider coverage.

I’ve been looking at letsencrypt and my main problem is that I want to have this fully automated, so I can setup a cron job. Covering the main web site will be easy enough, I suspect, but currently I’m using a wildcard certificate to cover all services. I have no problem using specific certificates for all services that I use, as long as I can rely on autorenewal and the service doesn’t get interrupted.

My first question is: if I use a DNS challenge, does that mean that on each renewal, the challenge in the _acme-challenge TXT record will have to change? If so, that I cannot automate as my DNS is hosted externally (split DNS actually)

My second question is: if I do not use wildcards and I try to get a certificate for (say) and (for postfix) is it enough to have control over the webroot of or does have to have a web server that listens on port 443 as well?


Hi @gctwnl

yes, the value will change. New order -> new challenge -> new challenge token -> new key authorization -> new SHA256 of the key autorization -> stored as value. But if your provider doesn’t support a dns-api, you can create a cname to another dns-service with api-support.

you must show that you control every domain name. So if you use http-01 validation, you need a webserver under But this isn’t really a problem.

Use the existing webserver, add a new A-record -> same ip, add a redirect ->, then you can use the existing webserver.


Thank you. I can’t add another A record for that points to the same IP as as both have separate IP addresses. But I can of course add a virtual host for with an empty web site and allow port 443 traffic to that.


If your has another ip address and an own A-record, you must have a running webserver there.

Without an A-record -->> ip address this website isn’t visible.


Yes, I understand this. is currently only listening on mail ports in the outside world, is listening on 80/443. To be able to create a letsencrypt cert for mail on I must make sure is running a web server which is exposed to the outside world. I’d rather not, as it is running a webmail environment which I do not want to expose to the outside world.