Sub-domain validation


I am new to Let’s Encrypt and am considering using it for a project where I would have to issue certificate for specific sub-domain without having direct access to the top-level domain DNS servers themselves.

So per example, I would want to issue a certificate for and I could pass a challenge for a file hosted on but not (because another team controls the top-level).

Question is, does the ACME protocol allow for validation to be done on the sub-domain for which the certificate was requested or is it always done from the top-level domain no matter what?



1 Like

I believe all validations are done on the exact/complete FQDN(s) requested - not on the base domain.


Yes, validations are all performed on the specific domain requested. The only reason you would not be able to receive a certificate for a subdomain is if a higher level domain has a CAA record prohibiting Let’s Encrypt from issuing certificates for that domain.


Great, thanks for confirming!

I think @jsha also said that, somewhat counterintuitively in terms of what we might expect from DNS hierarchy, you are allowed to override that CAA record with a more-specific CAA record permitting the issuance.

1 Like

Yep, although this is unlikely to affect the original poster. :slight_smile: Details at for whoever is interested.

1 Like

That’s actually very useful to know especially the part about the sub-domain CAA overriding the top-level CAA, this could come in useful! Thanks for the link to the documentation.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.