SAN Cert with Domain Validation rather than Host Validation

I’m trying to get a SAN Cert, but running into some problems. I’m using the following command:

./letsencrypt-auto certonly --standalone -d -d -d

And it is able to validate (the host I’m on), but not or which are currently in use elsewhere in my environment.

Is there anyway to get letsencrypt to take the validation for one host and use it for all hosts under that domain?

1 Like

Nope, that’s not possible. In many environments different hosts within a single domain are under the administrative control of totally different people or entities and we don’t currently have a way to confirm whether this is a case for a given domain or not. Sorry for the inconvenience!

You can take a look at threads talking about DNS validation challenges which would allow you to prove control of particular names by updating their DNS records rather than by making configuration changes on the associated hosts. Although this isn’t deployed yet, when it becomes available, it might be more convenient for your use case.

1 Like

Makes sense. Thank you.

It should be possible. You could set up reverse proxies (using nginx for example) on and to forward requests for /.well-known/.acme-challenge to the server.

Although if you use the names on separate hosts, what’s the benefit of a single SAN certificate over separate certificates?

The cert would be used on one server, but I wanted to build it in advance so that I could switch over with no downtime.

You should be able to redirect* and* to and provide the challenge there for verification.

1 Like