Subdomain IP is different than webserver IP and can't validate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version): openlitespeed

The operating system my web server runs on is (include version): ubuntu-22.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.21.0

Hi @oldDog,

It would be helpful to see the Certbot command that you ran and the output.

Most straightforward methods of getting certificates with Certbot expect you to run Certbot on the machine that the DNS record points to, and only request names in your certificate that point to that machine. In this case you would usually want to get separate certificates for the main domain and subdomain, perhaps by running Certbot separately and independently on two different machines. This is perfectly valid to do.

It's hard to advise further without seeing specific commands and error messages.


I was running --dry-run and all was well.

The problem is that I want to add subdomains for my dns and mail servers to an existing certificate but they are actively using different IPs so I can't change them to point the the my webserver; however, you gave me the info I need. Apache is available on the mail and dns servers so I'll create and run instances that serve no content other than .well-known, adjust the firewall, and rerun certbot.

Thanks for the immediate reply and the help.


Certbot can also spin up a temporary webserver with the --standalone authenticator plugin, so Apache is not really necessary if you don't use it for any other purpose.

Excellent!!! Unbelievably easy. I would recommend that approach as the BEST solution. Nine domains on one certificate in about 3 seconds.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.