Setup

1. Create servers/DNS-records for your desired subdomains

2. Request a certificate from any server

certbot certonly \
    --manual --server 'https://acme-v02.api.letsencrypt.org/directory' \
    --domain '*.example.com,example.com' \
    --agree-tos \
    --no-eff-email

3. letsencrypt will request that you create a 'TXT' DNS record

name:   _acme-challenge.example.com
value:  <provided value>

4. letsencrypt will requiest that you create a file on your webserver

5. Wait for DNS changes to propagate

6. The certificate will be created in a dir matching the domain-name (without the subdomain)

/etc/letsencrypt/live/example.com/fullchain.pem

Redirection and SSL

The proper way to do redirection is by returning HTTP 301 (page permanently moved). Under the hood, this is what happens when AWS's route53 defines an A/AAAA record alias.

In order to circumvent an SSL error, your SSL certificate must be a SAN certificate (a certificate that is valid for multiple domains). Every domain that is passed through must be validated in the certificate.

For example:

findregion.example.com -(redirects-to)-> region.example.com

In this case, your certificate must be valid for:

example.com
findregion.example.com
region.example.com

You can resolve this in two ways:

1. a wildcard SAN certificate (*.example.com, example.com)
2. an explicit SAN certificate (findregion.example.com, region.example.com, example.com)