Verify ownership of domain and get cert for subs


Is it possible to get certs for my subdomains with only verify'ing my main domain?

I'm in a scenario where my subdomains that I need SSL certs are all behind a VPN and I want the certs internally.



Only by using a wildcard certificate, which requires the dns-01 challenge, instead of multiple separate subdomains.

Although I guess the dns-01 challenge would also work for separate subdomain verification as your VPN issue would probably only interfere with the http-01 (and tls-alpn-01) challenge. But if the dns-01 challenge is required anyway personally I would go for a wildcard cert.


I use DNS-01 for single-domain certs for private subdomains all the time (not behind VPN, but on internal IPs).

@gborbonus i recommend installing an instance of acme-dns in the cloud GitHub - joohoi/acme-dns: Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely. , and then delegating it to handle your acme-challenges. that will streamline automated and manual installs.


Hi @gborbonus and welcome to the LE community forum :slight_smile:

In short: YES!

But it requires the use of DNS-01 authentication - which can be tricky to automate.
Depending on the ACME client used and the DNS service provider (DSP).
But there are many choices and many possible workarounds to most worst-case scenarios.
So, with a little bit of "work", you can obtain a cert (even with wildcard entries) for any (sub)domain you control the public DNS zone for (a.k.a. "own").


Are you guys saying I can use DNS-01 for verification of subdomains as _acme_challenge.*

Or would I need to make an entry for every single subdomain that I want a cert for?

I have a feeling the latter is necessary.

Can be used for both cert entries:
Can be used for both cert entries:
Can be used for both cert entries:
Can be used for both cert entries:

And one LE cert can hold up to 100 SAN entries.


That's what I was thinking.

I'll need to create DNS entries for each subdomain which also supports their www. counterpart. Regretfully policy is preventing me from using wildcard SSL.

Also, the lack of control over the domain DNS host (company policy has it at a host with no API), prevents me from doing this automatically.

My setup has an internal DNS, so internally points to a private IP, but externally has no DNS record. So my current thought process on the easiest way to make this work is to use a wildcard DNS (* and point it to a public server that I can then use http verification for.

Seriously wish I could do a proof of ownership of the main domain and then consider all subdomains valid for SSL but alas, we are where we are.

Please see the acme-dns link I created above.

It is an API driven DNS server, designed to automate the acme challenge process. After setting the server up, you only have to (manually) point the _acme_challenge record on your main DNS servers to it once. It will then automate the process during renewals.


If you rethink using wildcard certs, you might find this link helpful - or not! Good luck!


I may be misinterpreting things, but note that the challenge txt records are ephemeral. Any records will need to be replaced every 90 days for renewal.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.