SSL for other domains

Hello, imagine this scenario: * (wildcard)

The configuration above works, there are SSL for the main site and all of the subdomains wildcard.

  1. Now imagine that on I created a website.
  2. Than I go and buy and I want it to show the website at To achieve that I go to the DNS of and have the following lines changed: 300 IN A # ip adress of 300 IN CNAME

Now shows the website of but URL stays

How do I SSL

Thank you!

Edit: So for the challenges I now need to add them to the DNS since now points to the’s IP. So the remaining question is: how to add the generated certificates to server (apache2) without restart etc.

For the Control Panel on the VPS I use VestaCP which supports Let’s Encrypt SSL but not the wildcards (?yet).

You need to understand how DNS works (and then also how SNI and TLS works).


A CNAME merely forwards a DNS request from one name to another name; but it is still just a DNS request.
It will NOT change the name of the request.
So will remain a request to when it reaches the IP found for


If you want the same site to be accessed for both and you seek, then you will need to append the server name (or server alias) of to the vhost config for


When you reach a site that has a cert that doesn’t match the name, you will get a security alert [ NOT in cert (, *].

Thank you. Then if I add the server alias of to, is there a way to generate a certificate just for and have it appended on runtime to server? Without regenerating the one of to include

Sure, but if it's a separate certificate, your web server software will probably expect you to configure it as a separate virtual host, which might not be the way you would have expected to configure it.

My site is the same virtual host but has different information based on the or domain.

So just one virtual host, (* is an alias of

The web server may not allow configuring two different certificates for the same virtual host, though.

At least not of the same type…
You can usually use an ECC and an RSA cert in the same vhost.
But if they are serving different names… Well that’s just going to create some major confusion.
Different names serving different content from the same IP was pretty much the reason for SNI.
Learn it, use it, and enjoy :slight_smile:

But, if you want to serve the same content under different names, with different certs, many web servers may require you to make two separate virtual hosts (which might independently have the same configuration!). This is just because there commonly isn’t a way to specify two separate certificates within the same virtual host configuration, not because SNI couldn’t in principle allow the web server to figure out which certificate to use within a virtual host as opposed to the more common implementation approach of helping to select the appropriate virtual host.

What if I have an infinity of domains serving from the same IP, the same content? How to add SSL for them?

I’'ll read about SNI to find out more, thank you :slight_smile:

One cert can only hold 100 entries.
Each entry could be a wildcard…
So you could do an infinite amount of domains from the same cert - only if they share the same base domains (limited to 100 unique base domains).

Note: wildcards don’t cover the base domain. If you also need to cover those, then it’s 50+50 (50 unique wildcard entries + 50 unique base domain entries) per cert.

So if you wanted to cover 1000 base domains and the matching 1000 wildcards…
You would need at least 20 certs and 20 vhost config blocks (one for each cert).

That can’t be, there has to be some automation as users will create many websites per day. How does Tumblr do it? Wordpress? Shopify? They are in the same scenario explained in the 1st post.

I don’t see how they are the same.
Maybe you could post some examples.

I’m a little unclear on your question; do you think you could clarify it a bit?

One issue is about Let’s Encrypt rate limits (how many certificates you can issue per week). In this case many of the large web sites that host per-customer subdomains have either obtained wildcards (which cover every customer subdomain with a single certificate), or rate limit exemptions (by explaining their issuance needs to Let’s Encrypt).

Another issue is about how a web server handles the existence of large numbers of distinct certificates. In this case the web server should be able to use SNI to pick the right certificate if the web server has been made appropriately aware of the existence of all of them. Popular servers like nginx and Apache already support SNI, but they usually support it in conjunction with virtual hosts, so that the server can pick an appropriate virtual host based on the hostname requested by the client using SNI.

If you have an extremely large number of separate certificates, you might need to consider whether you need some kind of customized software in order to scale up—but I have a feeling that nginx’s virtual host support is relatively scalable here.

In general, SNI is the core technology that allows multiple sites to share the same IP address, and it’s already supported by all modern web browsers and all modern web servers, and normally used automatically on every connection.

Some users have blogged about how they deploy many Let’s Encrypt certificates, but I’m not sure if those companies are among them.

Nginx users might be interested in OpenResty’s Lua SSL support.

1 Like

First thank you for helping! So I got it working :grinning: with the following solution you guys gave me:
Create Virtual Host for the new domains but use the same <Directory> as - so same html/php files but allowing SSL for each domain. This can be automated by script.

To be clear what the scenario was: allows users to create websites under the
Then username wants to buy his own domain - but wants the website from to show under

Edit: I don’t know if it is possible to do this without restarting apache though.

Unfortunately, you must restart a web server whenever a cert, or a name, is added that is “new” to the system.
The good news is that you don’t have to do a hard stop/start.
Look into this:

Awesome! Thank you very much! :smiley:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.