Using Let's Encrypt Wildcard Certificate on Multiple Servers
I have a series of subdomains that are a part of a root domain I manage. I have set up certbot
on one of these domains: x.example.com
and it is successfully using the certificate and renewing it automagically.
I now want to create a new subdomain y on a different server in our infrastructure. I need to use the same Let's Encrypt certificate since the challenge is good for any wildcard domains. However, using for example certbot --nginx ...
issues a new challenge and that's no good. I want to use my same certbot stuff from x
.
Is there a way to do this? Perhaps using the old challenge? I see --force-renewal
and such that talk about if the certificate already exists for the request domains...
. It doesn't seem like it fetches a copy of the certificate from their server however. I'd like to have it configure my nginx stuff automatically so I don't have to copy things over (via --nginx
).
How do I do this right?
It sounds like you created a wildcard cert when you didn't need to. It's perfectly reasonable for Server X and Server Y to both have their own copy of certbot generating and renewing a certificate only for the name(s) they care about. They can even share some names.
As long as you don't run up against the Let's Encrypt rate limits, you'll be fine.
Challenge validations are not permanent. You will generally have to re-validate a challenge during every renewal (usually between 60-90 days after original issuance).