letsencrypt/certbot - Multiple authenticators, one certificate

Question

I'd like to use letsencrypt/certbot to create/renew a certificate for a set of domains, where some of the domains require different authenticators. Two domains, example.com and www.example.com, are hosted on Amazon S3 / CloudFront. Another domain, api.example.com, is hosted on an Amazon EC2 instance. I am assuming all of these domains should have the same certificate.

I think that I need to utilize the letsencrypt-s3front plugin (or the AWS API calls which letsencrypt-s3front uses), to create/renew the certificate for the example.com and www.example.com domains, along with the webroot plugin to create/renew the (same) certificate for the api.example.com domain. But I don't see any examples anywhere demonstrating how to use two authenticators at once.

1. Do I actually need/want one certificate for all of these domains?
2. If so, how do I use letsencrypt/certbot to authenticate domains where more than one authenticator is required?

Answer 1

For the OP specific use-case, using dns-01 authentication using the route53 DNS plugin would suffice: instead of using an HTTP based authentication that would require multiple authenticators, use a single authenticator and authorize all of your domains using Route53 - which I'm assuming is what you use for DNS for all those domains.

I have a similar use case where I'm already using dns-01 for authentication, but I need to use multiple authentication accounts (with the same plugin) for multiple domains on the same certificate - and I don't think that is supported.

Answer 2

We generate separate certificates for each service such as (www.)example.com and api.example.com. For our use-case it works just fine.