Using DNS-01 and HTTP-01 challenge for the same certificate


I am using a hosted domain (the DNS entry for this is served by my provider). For subdomains I can have DNS delegated to my site.

Now I have the domain and a subdomain. The domain will run a webserver while the subdomain will not, but the subdomain can be authenticated using DNS challenge.

Is it possible to have one single certificate valid for domain and subdomain using two different challenge types?

Thanks in advance.

On the server-side, each domain validation is handled independently from certificate issuance, so this is certainly possible.

On the client-side, I’m not aware of any that actually support doing this. They’re all designed around a one validation method per certificate paradigm. So you’d have to hack up something yourself with one of the programming language bindings if you want to do this.

But I’m not sure why you just can’t just verify the main domain with dns-01 as well? That seems like the easiest solution for you.

1 Like

Thanks for your answer. The domain provider is Strato. They only provide DNS maintenance via web interface and there is no possibility to handle TXT records as far as I can see.
The entire domain cannot be delegated to my own DNS, but a subdomain can.

Strange, they must get a lot of complaints for not being able to do SPF records or google-site-verification. :frowning:

Fortunately for you, you can just delegate to the same DNS server and get it done if you want.

Delegate _acme-challenge… :thinking:



Delegate _acme-challenge will not work at Strato as they do not let me use an underscore in the subdomain name.

But I’ve found a way to delegate the entire domain which I will try.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.