Setup advice with multiple subdomains & DDNS


I’m currently running Let’s encrypt to remotely access services on my home server, and it’s working well. My setup is the following : for each service I have set up an A record ‘’ which is accounted for by Let’s encrypt and whose IP is updated by my DDNS client and . So I have in total around 10 A records, each of them has a certificate by Let’s encrypt and each of them is updated by my DDNS client.

So my question comes down to : is it the most efficient setup ? (it certainly does not feel like it is)

Any insight much appreciated, thanks !

Hi @vmazmaz

an A record doesn’t have a certificate. A record: Domain name -> ip address.

If you have 10 subdomains and if you don’t use a wildcard A record, you need 10 A records.

That’s independent from your certificates.

More important: Do you have 10 Letsencrypt clients? Or one?

Ten subdomains, ten certificates - that’s ok. You can create one certificate with 10 domain names, but if you have a working configuration -> use it.

Thanks for the reply ! I had the misconception that a certificate was linked to an A record.
I only have one let’s encrypt client, so I believe it generates a certificate for all of them at once.
Would creating one A record and then 9 CNAMES records pointing to this A record be an option ? (to udpate only one subdomain on the DDNS client side)

That’s not relevant.

A domain name must have an ip address. Direct A- or AAAA-record. Or a CNAME, so the A-record of the CNAME value is used.

As Juergen says, nothing in the TLS stack cares whether you have A records, CNAME records, AAAA records, or some other way of connecting a name with an IP address. But as a practical matter, what you describe is probably a better way of going about this–one A record, everything else is a CNAME to that first name, then you only need to update one record when your IP changes.