How to obtain Letsencrypt cert for multiple hosts on same domain

this is going to sound stupid i know, but i am having a mental blank moment i think.

imagine the following VPS server group on vultr network

server1.tesla.com (ip 12.34.56.78)
server2.tesla.com (ip 23.45.67.89)
server3.tesla.com (ip 45.67.12.78)
server4.tesla.com (ip 1.56.79.32)

how do we obtain letsencrypt SSL certs for each of those VPS servers that have different public ipaddresses but the same primary domain? I cant get letsencrypt to issue one for each.

I can obviously create a virtual host on one of them with the primary domain and obtain a certificate for that VPS...example

server1.tesla.com
- virtual host = tesla.com (SSL for both website and host)

The above will obtain a letsencrypt certificate of course, but what about the other 3 VPS? whenever i try just obtaining an SSL for a host by itself (ie server3.tesla.com), i get an error ...i think it at least needs a website on each VPS. That is a problem, because i cant have a single primary domain (tesla.com) dns resolve to 4 different public ipaddresses.

So how do i do this? I have heard about wildcards and/or SNI but i am not sure whether either are appropriate or how to do them with letsencrypt. Someone has even mentioned to me to simply create a single cert with all 4 hosts on it using the first server for the transaction. It seems silly to me that servers should have entries for SSL that do not relate to the VPS they are on?

also, the intention is for these VPS to host both websites and mail

Ideally, i want each VPS to have its very own SSL that is not also used by one of the apache websites on the server. Is that possible?

A detailed how to would be really appreciated

 

A record for each subdomain. I did that a lot.

 

but how do you obtain that record?
3 of my VPS dont have any apache virtual hosts on them...so letsecnrypt throws an error if i attempt to obtain an ssl from any of the other VPS.

Do you mean, I need to ask for all of the subdomains (tesla2, tesla3, tesla4) to be included on the certificate that is obtained using "server1.tesla.com" that also has the apache virtual host "tesla.com"?

 

Simple. Use your dns manager to do that. I use CF as dns manager for some of my domain and I set A record for each subdomain that I want to be on separate ip.

 

how can this work when normally the host.domain.com has port 80 access disabled? You normally only access the host domain on custom port so it cant get hacked so easily?
Is it possible to tell letsencrypt not to use port 80?
I dont see how this can work when letsencrypt copies a file to the public_html directory for the acme test...if the "VPS host" itself is not allowing direct access on port 80 because its not supposed to be directly accessible via that port, then this test cannot work and therefore a http error will result when letsencrypt runs.

if this was just a simple subdomain then of course the above method should work, because the subdomain is not the VPS host itself and therefore an apache virtual host on port 80 is open to the internet so it can serve files/websites. In that instance a suddomain will work...but this is for the servers own SSL cert where the primary domain is actually on a different system (because i have 4 of them using tesla.com ie server1.tesla, server2.tesla etc)

What i need to be able to do, is obtain an SSL cert without letsencrypt needing access to public_html directory on port 80...the VPS host server2.tesla.com is the VPS itself...it does not nave an active public_html directory with a website on it (why would i even want it to have one?)

this is all only a problem because i want the postfix mail server to function using SSL on server2.tesla.com or server3.tesla.com etc.

So if a client is using shared hosting, they are connecting to my mail server via outgoing STMP = server2.tesla.com, encryption method = SSL or STARTTLS

I cant run smtp with encryption if the VPS wont obtain letsencrypt SSL cert becaue it also does not have the primary domain as a virtual host in apache (that is already being used by server1.tesla.com)

 

I did share how I created LE SSL certs with dns challenge / validation via CF (CloudFlare) as my domain dns manager in here: https://www.howtoforge.com/communit...via-certbot-dns-validation-in-acme-v02.79049/

You will also need to add / ensure you have CAA record for the intended subdomains.