SSL Certificate with subdomain on different server

Discussion in 'Installation/Configuration' started by lonerunner, Apr 29, 2021.

  1. lonerunner

    lonerunner Member

    Hi i have specific problem which i haven't faced before because i never had to run different certificate for the same domain and subdomain but other company is requesting to run their own certificate on their server, the thing is main domain and subdomain are on a different servers.

    This is the scenario:

    On my hosting i have created maindomain.tld and i have created subdomain.maindomain.tld
    On that same hosting i have let's encrypt certificate and it works fine for all domains and subdomains on that server.

    But the other company want to run their own script on their own server, so in DNS fields they requested me to input A record for subdomain on their server ip.

    DNS would look basically like this:

    A subdomain.domain.tld (secondary server ip)
    A domain.tld (main server ip)
    NS domain.tld ns1.mainserver.tld
    CAA domain.tld 0 issuewild ""

    This is a short version, basically like any other setup, main domain is going to ns1 and ns2 of the hosting, subdomain is going to other company server IP.

    They have requested me to remove CAA record, but let's encrypt added that, and i am not sure if it will automatically renew next time if i remove CAA record.

    They are unable to renew their own certificate on their server because there is let's encrypt on the main server domain.

    I have an option to generate let's encrypt certificate on subdomains or to uncheck the option for subdomains, also as i understand wildcard should allow generation of certificate for subdomains too.

    So how can we make it work that both servers are able to renew certificates properly. I just want to mention they use sectigo on cpanel.
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Add a CAA record that allows sectigo to issue certificates for that subdomain: CAA
  3. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    You just need to create another CAA for the subdomain:
    CAA subdomain.domain.tld 0 issue ""
  4. lonerunner

    lonerunner Member

    Alright thank you, that was my thoughts exactly, if i add CAA for sectigo it will allow them to generate certificate.

    Just one question, how do i go exactly with this setup?
    Add CAA for domain and for subdomain separately?
    Should let's encrypt be `issuewild` or just `issue` for main domain ?
    And then add sectigo only for subdomain?
    In ISPConfig there is an option on subdomain "Don't add to Let's Encrypt certificate" i should check that ?

    Attached Files:

  5. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I have moved your post to the ISPConfig 3 board as you are using ISPConfig.
    When it exists for the main domain, it's used for all subdomains, unless a CAA record exists for one, which then overrules the rule for the main domain.

    Issue is fine.
    Only sectigo for the subdomain is fine.

    You should add their site as website with the domain "" not as subdomain of in the Sites module. Enable SSL and add the Sectigo cert under the SSL tab and select "Save certificate" as action.
  6. lonerunner

    lonerunner Member

    Honestly, This part confuses me now, why should be added separately as domain, not just as subdomain. And their cert is also renewing every 3 months which means if i add it to the SSL tab, every 3 months i will have to add it manually?
  7. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Because they have a separate site, right?

    And yes, you will. Why not use Let's Encrypt though?
  8. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    I may misunderstand your setup, but with:
    I understood that the subdomain was running on a non-ispconfig server? In that case you don't add anything at all for a website, just add the appropriate DNS entries to the main domain's zone.
    If it is a site on an ISPConfig server, you could set it up under their own client, and let them be responsible for updating the certificate.
  9. lonerunner

    lonerunner Member

    Yes, but they don't need to host it with me, they want it just for the subdomain to point to their server. Maybe i misunderstand but creating subdomain as a domain is purpose to give the separate access for the website path

    Can let's encrypt actually work and be valid if i add it on my hosting but point A record of subdomain to their server IP? From where the certificate will be loaded if subdomain point to their server IP? From my server and let's encrypt, or from their server and sectigo?

    They are kinda bitching about ISPConfig, i told them they have full access to the account and can set it up however they want but they are the "superior" CPanel users and don't want to manage this on ISPConfig because they don't know this hosting panel.

    The main domain is running on ISPConfig, i added subdomains through ISPConfig subdomain option, the DNS is managed fully through ISPConfig, the A record in DNS in ispconfig point to their server IP for subdomain, after that, the script on subdomain is running on their hosting with CPanel.
    Sorry guys if i confused you by posting in wrong section. If needed i can post you a screenshots of how i set up everything on my side in ISPConfig.
  10. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Your domain can use letsencrypt for the certificate. Their subdomain could as well if they set that up in cpanel, but is sounds like they want to use sectigo, so not applicable.
    From their server.
    Don't add their subdomain in ISPConfig, just the DNS entries.
  11. lonerunner

    lonerunner Member

    So i guess in the end the working solution would be to add CAA record for as you guys suggested in the first place.

    Except i went to ISPConfig DNS settings and ISPConfig add it as, there is no option to add it to subdomain only, i can't manually edit DNS details. Only if these two fields "Additional Hostnames" and "Additional Options" should be filled with something?

    Am i missing something or just being dumb?

    Annotation 2021-04-30 011503.png Annotation 2021-04-30 011434.png
  12. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    As the subdomain name to additional hostnames.
  13. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Sectigo is the new name of Comodo. So both work fine and most people know the company as Comodo.

Share This Page