Some notes about dehydrated.
When generating a certificate (dehydrated -c [-x]) on one server (a.example.com) for another server (b.example.com), the second one must redirect the /.well-known/acme-challenge URL to the first one.
For example, if you use NGINX, you should have, on server a.example.com, a configuration file with following content :
location ^~ /.well-known/acme-challenge {
auth_basic "off";
alias /var/lib/dehydrated/acme-challenges;
}
For server b.example.com, the counterpart will the look like:
location ^~ /.well-known/acme-challenge {
auth_basic "off";
proxy_pass http://a.example.com/.well-known/acme-challenge;
}
The /etc/dehydrated/domains.txt file of server a.example.com have to contain both server, of course.
Once the certificate(s) generated, you have to copy the /var/lib/dehydrated folder from server a.example.com to server b.example.com (not already tested…).