Trying to understand LetEncrypt with multiple domains

Up until now I have been running LetsEncrypt with DuckDNS with no problems whatsoever. The problem now is that I have created another DDNS that points to the same home network ( Running SSL diagnostics reveals that the certificate is OK except for the fact that the domain names don't match. The DDNS address on the certificate matches the one on the other DDNS.

So I have a couple of questions on how to resolve this issue:

  • Can I create and renew the LetsEncrypt certificates from diffrent computers without running into this problem?
    I ask that because the first DDNS and SSL certificate are managed by hassio, so poking into that can be tricky.
  • The problem will be solved if I create both certificates at once? This means running:
    sudo certbot -d -d
    Then I would have to export the certificate to the necessary machines, but that's another issue.
  • Is there a better way to tackle this?
1 Like

@mbc99 Hello and welcome to the community forum!

So if I read this correctly, you have 2 hosts.

  1. is secured with a LE certificate, is functioning correctly and reachable from the internet.

  2. is being served from a SECOND machine on the same network. (It is also functioning, but lacks a certificate so far.)

You should not have problems installing certbot on your second server and running it independently to obtain a certificate for

No need for that.

sudo certbot -d

Go for it! And please come back with the results!

Good Luck


Thanks for the reply.


Not exactly. I already tried installing the certificate with
sudo certbot -d
The certificate is created, but when I go to It tells me that the certificate domain name doesn't match the domain. So the certificate name doesn't match It instead matches

1 Like

OK since you have one cert , working on one server, for one domain.... Lets move on to your second server. (Server 2)

Is certbot installed on your second server (Server 2) where lives?

Did you run the command from there (Server 2) or did you run the command from server 1 expecting to copy or move the cert over?

More data required or you might get the right answer for the wrong question.. :face_with_thermometer:


Another question to add to @rip's: When you're done, do you want to connect to one of your servers behind the firewall, and to connect to a different server behind the firewall? If so, you're going to have to assign an alternate port (e.g. :8443) to use with one of those hostnames. Also, that introduces some challenges in terms of which server is answering the challenges to get certificates.


You are spot on @jsha . It seems that both domains are serving the same content, and using the same IP ( so it would be helpful to know more about @mbc99's vision of what the end result would look like. Lets get it right.

(edited to blur IP)


SNI solves the multiple names on a single IP problem.
Now who will be performing the SNI logic?
I have not yet seen a firewall capable of routing based on inbound URL/SNI destination.
So, all inbound requests will be set to one single internal IP.
That internal system will need to proxy those requests to their respective endpoints.
You could have everything in your network secured - it could be dozens of certs.
But you only have one external IP - you first need a broker, you need to use a "reverse proxy".



From server 2


Server 1 (using @Rip naming scheme) is using (among others) port 443
Server 2 will be using (among others) port 3000
Server 1 and Server 2 won't have ports used in common

Moreover, Server 1 and Server 2 are on the same physical machine under Proxmox. So they are under the same interface (each VM called Server 1 and Server 2 have diffrent IP's)

It might sound strange that two DDNS are pointing to the same IP (now you know where I live :)). But I want to do it (under the probably false pretense) for security.
But the more I read the more I think it's stupid.

That's what I was afraid of.

So it's impossible to have two DDNS working correctly on the same public IP without having to use reverse proxy or similar?

By the way, thanks for the massive support :slight_smile:


Probably not worth the added effort, but worth mentioning.
You could assign one system to handle all the HTTP request.
So it would be fully responsible for all the certs and their renewals.
You would have to figure out how to synchronize the certs within all your internal systems.
Then you could access each system from the Internal over the same IP but to individually assigned ports.
So, for example:
port 8000 > DVR
port 8001 > Refrigerator
port 8002 > NVR
port 8003 > Toaster/Oven

You could authenticate via DNS (not HTTP).
And remove the certificate manager system.
But then be left with the same non-overlapping port assignments.

So, you see, the most elegant method (that allows each device to use the default HTTPS port 443) would require using a reverse proxy.

That may sound insurmountable, but it is not.
Apache can do it easily.
Nginx can also do it easily (and better as far as I'm concerned).
So, if you can install either (or already have either installed) you can do this quite easily.


Wow, a lot of new information.

I like this idea. I have installed proxmox so creating another VM or container wouldn't be an issue. I could create a shared folder or a NFS mount to share those certificates.

Then I would be able to create a certificate for both domains, so:
sudo certbot -d -d
An share (via a local shared folder or a network folder) the certificate which would be the same for both domains, right?


Yes, that can work.



Then I will probably give it a try, But I tried copying the certificate created from another VM into server 1 (which is HASSIO for HomeAssistant) and it didn't work.
But knowing it is possible I will give it another try.

1 Like

You have to get the cert and the matching key file.
You can also verify that public cert and private key are matched (works for RSA and ECC) with:

  openssl x509 -noout -modulos -in public.cert.pem | openssl sha256
  openssl x509 -noout -modulos -in private.key.pem | openssl sha256

[resulting outputs should be exactly the same]

Note: certbot cert files are already in .pem formats; So there is no need to convert them :slight_smile:


But if I create a certificate for both DDNS, so:
sudo certbot -d -d
I will only one of each of the four files that cerbot creates and so all the VM's (no matter what DDNS they are using) will have the same files right?


Yes the one certificate will work for both names so it will work on both systems.
But you only need to use two of the files:
the private key
and the fullchain


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.