Shared vs individual aliases

kiler129

As per acme.sh docs linked from CW "Domain Aliases" docs one can either use a common verification subdomain or individual ones:

# Delegation setup
verify.example.tld.  A    192.0.2.2
verify.example.tld.  NS   verify.example.tld.

# Common
foo.example.tld.                  A      192.0.2.100
bar.example.tld.                  A      192.0.2.101
baz.example.tld.                  A      192.0.2.102
_acme-challenge.foo.example.tld.  CNAME  common.verify.example.tld.
_acme-challenge.bar.example.tld.  CNAME  common.verify.example.tld.
_acme-challenge.baz.example.tld.  CNAME  common.verify.example.tld.

# Individual
abc.example.tld.                  A      192.0.2.200
def.example.tld.                  A      192.0.2.201
ghi.example.tld.                  A      192.0.2.202
_acme-challenge.abc.example.tld.  CNAME  abc.verify.example.tld.
_acme-challenge.def.example.tld.  CNAME  def.verify.example.tld.
_acme-challenge.ghi.example.tld.  CNAME  ghi.verify.example.tld.

Obviously using common verification subdomain delegation is much simpler. However, it creates an issue of concurrency - while foo.example.tld is being renewed, neither bar.example.tld nor baz.example.tld should have renewal triggered.

Does Cert Warden support usage of a single subdomain delegation for verification?

gregtwallace

It isn't really simpler. You have to make a CNAME for every subdomain you want to use either way.

Cert Warden supports both. It requires more configuration to use the common route though as you'd have to create an alias for every subdomain. I'd recommend doing something like aliasing

example.com to verifyexamplecom.othertld.com and then domains would be like one.example.com -> one.verifyexamplecom.othertld.com

Everything is nested under that common subdomain, no overlap, and less configuration.