server A on example.com www.example.com1 and blog.example.com - the subdomain cloud.example.com points to server B. Is there a option with the certbot to get this setup running? I didn’t succeed.
On server A I used this command:
./certbot-auto certonly --standalone --email info@example.com --agree-tos --rsa-key-size 4096 -d example.com -d www.example.com -d blog.example.com
And on server B that command (here also runs a other full Domain, which fine):
./certbot-auto certonly --standalone --email info@example.com --agree-tos --rsa-key-size 4096 -d mydomain.tld -d www.mydomain.tld -d cloud.example.com
Yes indeed, just request the certificate for the subdomain you want. So if you want a cert for onlysecure.mydomain.com then just request that one certificate. When you need a cert for another subdomainprivate.mydomain.com at a later date then request it when needed. My root domain spans across 4 Ubuntu servers, some run mail, some run web sites and each server has it’s own certbot installation and it’s own subdomain level certs. So I request those certs as follows
sudo ./certbot-auto certonly --agree-tos --rsa-key-size 4096 -m dnsadmin@mydomain.com -d secure.mydomain.com --renew-by-default
I Dont know what was wrong in the configuration. I backuped the full /etc/letsencrypt directory and started everything from new. Now it works fine
-----------------------
DNS-01 validation uses a TXT record for _acme-challenge.sub.example.com..
HTTP-01 validation uses a file in http://sub.example.com/.well-known/acme-challenge/.
TLS-SNI-01 validation connects to https://sub.example.com/ with a weird SNI hostname for a special certificate.
So, HTTP-01 and TLS-SNI-01 just require the ability to run a web server, and DNS-01 requires control over one record.