Renewals with split-horizon DNS *and* geographically distanced hosts?

My domain is:

I ran this command: N/A

It produced this output: N/A

My web server is (include version): nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 20.04.1

My hosting provider, if applicable, is: N/A

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.40.0

I’m switching over to Nginx from Apache, so I’m new to Nginx.

I have and on a host that is in another state. Currently I manually copy the cert over to it every 88 days.

But I have my home internal network as well. “” with several hosts on it for internal stuff, self-hosting, and development.

Each internal host uses an internal DNS server inside the home network, running pi-hole. Pi-hole has A records for the internal/home hosts.

What I’ve been doing is having 1 host renew the certificate (using Cloudflare-dns) and then copying it to the other servers, but now that I’m moving to Nginx it’s getting confusing.

I hope this makes sense. Ideally each individual host would be able to update its own certificate via Certbot without me copying a wildcard certificate all over the place.

Can I have each host also use Cloudflare-dns to renew their own certificates? example: let webmail/pile renew its own, let renew its own, let renew ITS own?

Do I just use Cloudflare-dns plugin on each one and copy Cloudflare credentials to each server and just specify each servers hostname?

Thank you!

1 Like

Yes, this is a good plan. Configure each server independently.


Independent configuration across the separate nets is a good idea; you could arrange for a single renewal to cover all of the hosts within each net, to cut down on the overhead. Just have the host that supplies DNS for each net run the certbot, having added the hostnames to be included in that certificate to the certbot configuration on that host.


Yes, and you can even take cloudflare out of the equation and use http-01 challenges, if you don’t need wildcard certificates. This way each host will be independent of all others when it comes to TLS certificates.

1 Like

Thanks! That’s a good idea too. All of these are good ideas, I didn’t know I could do it independently like that.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.