Wildcard certificates and multiple servers


#1

How do Let’s Encrypt wildcard certificates work across multiple distinct servers? Is the same wildcard certificate deployed to each subdomain even across multiple servers? Or, is Let’s Encrypt simply creating many wildcard certificates deployed on different servers for the same TLD?


#2

Hi,

The wildcard certificate is *.domain.tld. which you can distribute to several server within the range of domain, could be across different servers.
(You can also create several wildcard certificate however you might hit rate limit)

Thank you


#3

It depends on your setup. Generally speaking, you should only deploy the same certificate to multiple servers if those servers are configured identically. For instance, if you run www.example.com, and you get so much traffic that you need 10 servers to handle it all, it’s reasonable to put the same certificate on all 10.

However, if you run www.example.com, and also your internal webmail service mail.example.com, your mail service is probably on a different server, configured differently. In that case, you would use 2 different certificates: One for www.example.com, and one for mail.example.com.

The same is true of wildcard certificates. Even though you could in theory get one certificate for *.example.com and copy it to both www.example.com and mail.example.com, that’s a bad idea. It means that if www.example.com is compromised, then the private key for that certificate is compromised, which will also affect mail.example.com. It used to be common to do this anyways, because individual certificates cost money and time. However, since Let’s Encrypt certificates are free and automated, I’d encourage you to use different certificates for your different service configurations.

Another way to express this as a rule of thumb: If you have a wildcard DNS record so that DNS lookups for <any name>.example.com all resolve to the same host (or hosts), then it probably makes sense to get a wildcard certificate. Otherwise it probably does not make sense.


#4

So then I assume the automated scripts/tools for generating let’s encrypt wildcard certificates can allow creating unique wildcard certificates for each server? And there are no issues of having multiple wildcard certificates?


#5

That is technically possible, but it’s also a bad idea, because the wildcard certificate would be valid for all your subdomains, not just the subdomains hosted by that server. If you have different subdomains on different servers, each server should get regular, non-wildcard certificates for the domains it serves.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.