SSL Certificate with subdomain on different server

domain-name-systemlets-encryptssl-certificate

Hi i have specific problem which i haven't faced before because i never had to run different certificate for the same domain and subdomain but other company is requesting to run their own certificate on their server, the thing is main domain and subdomain are on a different servers.

This is the scenario:

On my hosting i have created maindomain.tld and i have created subdomain.maindomain.tld
On that same hosting i have let's encrypt certificate and it works fine for all domains and subdomains on that server.

But the other company want to run their own script on their own server, so in DNS fields they requested me to input A record for subdomain on their server ip.

DNS would look basically like this:

A subdomain.domain.tld (secondary server ip)

A domain.tld (main server ip)

NS domain.tld ns1.mainserver.tld

CAA domain.tld 0 issuewild "letsencrypt.org"

This is a short version, basically like any other setup, main domain is going to ns1 and ns2 of the hosting, subdomain is going to other company server IP.

They have requested me to remove CAA record but the problem is, let's encrypt is requiring to have CAA on the domain, otherwise it won't renew when it's time.

They are unable to renew their own certificate on their server because there is let's encrypt on the main server domain.

I have an option to generate let's encrypt certificate on subdomains or to uncheck the option for subdomains, also as i understand wildcard should allow generation of certificate for subdomains too.

So how can we make it work that both servers are able to renew certificates properly. I just want to mention they use sectigo.

Best Answer

let's encrypt is requiring to have CAA on the domain

This is not true, see https://letsencrypt.org/docs/caa/

You can use CAA records and Certificate Authorities need to query for them and use them, if they exist. If they don't it is business as usual.

They are unable to renew their own certificate on their server because there is let's encrypt on the main server domain. [..] So how can we make it work that both servers are able to renew certificates properly. I just want to mention they use sectigo.

Easy then, keep your CAA record (if you want), and add another CAA record on subdomain with Sectigo mentioned. Hence certificates for the subdomain can be delivered by Sectigo (and noone else) while certificates for the domain can be delivered by Let's Encrypt (and no one else)

Note that the behavior you observe is specifically because CAA records query "climb" up the root. If no records found on a name, the CA has to recurse towards root to find a CAA record so they obviously hit your current one even for the subdomain.

Certificates are not tied to specific servers. You can have as many different certificates you want at any given time installed on multiple servers, with multiple names in it.

Related Topic