Why do I need to answer to a challenge for each subdomain

I need to issue multiple certificates with the following structure: “*.SubDomain1.MyDomain.net”, for different subdomains. Each certificate with one name. For example:

Certificate with "*.SubDomain1.MyDomain.net"
Certificate with "*.SubDomain2.MyDomain.net"
Certificate with "*.SubDomain3.MyDomain.net"

My question here is why do I need to answer to a challenge for each subdomain? I have already proved that I have the control on the domain.


This has been discussed many times on this forum. A similar conversation took place month ago.

Your question is fair - and the way things are is arguably arbitrary. The decision to make you explicitly authorize each DNS name like this is probably, on balance, the best option that avoids incorrectly authorizing domains that e.g. might have access controls preventing them being updated (nsupdate/RFC2136) or are entirely delegated away.

Given that Let’s Encrypt is meant to be used in a completely automated manner, the number of challenges should not pose any great inconvenience to users. If you are doing this stuff manually, I can see how you might be annoyed by Let’s Encrypt being a stickler.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.