example.com, we have had a several-year relationship with hosting provider A that hosts several services for us, on several
foo.example.com subdomains. Provider A started using Let’s Encrypt a few years ago, works great, certs magically appear for all our subdomains, we couldn’t be happier.
Fast forward to now: we’ve added a new relationship with hosting provider B, just for their spiffy website building tech, only to use for a new website. The A record for
www.example.com now points to provider B. All other
foo.example.com records, and
example.com itself, still point to provider A. (For the convenience of web visitors who leave off the
www., we do have redirects on provider A from
:443 over to
www.example.com so they see the web site on B.)
Here’s the snag: provider B also uses Let’s Encrypt. We would like them to generate a cert for
www.example.com - for only that one name, the only one we have pointed to them. Everything else in our namespace still points to provider A and already has perfectly good certs installed there.
Provider B insists that they can’t possibly generate a Let’s Encrypt cert for
www.example.com unless we also move the A record for
example.com to point to provider B (thus breaking all our services on that hostname at provider A!).
Is that really something Let’s Encrypt can’t do? This is the actual reply from provider B’s tech support:
we do use ‘lets encrypt’ however our service is dynamic and software based, and as such is directly integrated into their API … Based on our configuration with Lets Encrypt you would as Cameron mentioned, need to point both instances of your example.com domain from your registrar here for us to generate this for you.
It seems more likely to me that Let’s Encrypt could certainly do that, but these guys at provider B need help seeing how. I mean, is it really that unheard of to direct just one subdomain A record off to another provider to use one spiffy service that provider offers?
And anyway, suppose I laboriously move all our existing provider A services on
example.com over to
quux.example.com, just so I can point
example.com over to provider B the way they say is necessary for them to generate a cert. Is the next shoe to drop when provider A says “hey, we can’t renew the certs for any of your subdomains here, because
example.com doesn’t point to us any more”?
Somebody please tell me there’s a solution.