Tricky DNS vs. LetsEncrypt problem


I’m currently confronted with a tricky problem that I can’t seem to solve. Here goes.

I have two servers that are supposed to be hosting web and mail services for a given domain. Currently I have something like this:

Server A :

Server B :

Here’s the thing. I’d like to migrate everything except mail/webmail to server B. But there’s a problem I can’t seem to solve :

With BIND I can have an MX record for that. But what about LetsEncrypt ? I can only have a certificate for “” on a single machine. Looks like I’m confronted with an impossible choice.



You can create as an A record with the IP of the mail server. You create an MX record to use can be the IP for server B, or even as well either as A record or CNAME for

Letsencrypt can create certificates for on both servers. I use letsencrypt with my DNS via Cloudflare, which means I can use the certbot cloudflare plugin to create wildcard certificates, and I even have * on multiple servers, each server creating their own wildcard. Or for example, letsencrypt on server a, and certs for and on server b.

Whilst the email address is the MX doesn’t need to be It can be anything you like, eg:,

1 Like

Letsencrypt supports multiple domain names in certs and even wildcard certs.
Wildcard certs require you to use their DNS-01 challenge instead of the default challenge method with certbot. See their FAQ.

With both variants you can create a single cert for all your services and then simply deploy that single cert to all your servers unsing a renew_hook in certbot.


1 Like

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.