SSL for domain with multiple A records

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I accessed this URL on my Chrome browser:

It produced this output:

Your connection is not private

Attackers might be trying to steal your information from (for example, passwords, messages, or credit cards). Learn more


This server could not prove that it is; its security certificate is from This may be caused by a misconfiguration or an attacker intercepting your connection. redirects to and other mirror sites via round robin. if accessed with http, it works well. and other mirror sites have their own ssl certs provided by Let's Encrypt.

My question is this:
Is it possible for to have it's own ssl cert, even though it is just a domain name that maps to other mirror servers?

Thank you for for help!

It's certainly possible for the two servers responsible for to have HTTPS certificates.

It's tricky to actually get the certificates in an automated way though, because your two servers would need to coordinate somehow to present the correct answer to the Let's Encrypt HTTP domain validation challenge.

I would probably use the DNS challenge, because it would allow each of your servers to independently obtain a certificate without worrying about what the other server is doing. However, it doesn't look like any ACME clients out there support ZoneEdit, possibly because they don't have an API to programmatically create TXT records.


Hello _az. Thank you for your reply.

Just to make it clear, the two servers you mentioned already have HTTPS certs provided by Let'sEncrypt.
What I was asking was if it is possible to assign a separate cert for itself given that it is just a domain name that points to other servers.

Thank you.

1 Like

You can have a cert that has several different domains on it, and use that on your server to catch redirects for them all. You just need to include all those domains e.g. the follow are all distinct and would need to be individually included as subject alternative names in the certificate if your server is going to response on behalf of these domains:


So you can do this with one cert or different servers can have their own certs that they manage, but whatever server responds to users browsers must have a cert that covers the exact domain the browser is requesting.


Additional context from OP

As I mentioned in the ServerFault response, it is likely going to be more efficient for the person/organization that controls the web servers to obtain the necessary certificates for all of the names those servers are using.

Even though you control the domain for one set of names, you have effectively delegated control of those specific names to the owner of the web server. So the web server operator can obtain a cert for those names without any interaction from you. And that will be the most efficient process long term even though you could theoretically obtain a cert for the names in your domain yourself.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.