ACME.SH Multiple domain DNS

A multi domain certificate we have that uses DNS ALIAS + standalone is failing to renew due to ONE of the domains not being used any more ver 3.0.5

as there are many domains using the one certificate with "alternate names" i dont wish to remove the cert. How can i remove ONE domain + its aliases eg from the renewal process - Do I edit the main domains .conf file manually ? I have tried using --remove -d name but this fails of course because the main domain the cert is under isnt listed as its the renewal uses a combination of dn alias and standalone for the domains it covers .
The error on renewal quotes the Sign failed, finalize code is not 200.
"type": "urn:ietf:params:acme:error:caa",
"detail": "Error finalizing order :: While processing CAA forDNS problem: networking error looking up CAA for"
"status": 403

1 Like

I shouldve kept going .... the answer is in the main domains cert.conf file .... simply edit the
Le_Alt= domains or aliases you dont want or want to ADD
then also edit
Le_Webroot= to match the removed or added names
Save, then FORCE cert renewal again will succeed.


Hi @MacEncrypt Welcome to the forum...
So from reading your second post you resolved the issue..yes?
My question is; Did you intend to remove and all it's subdomains or did I read that wrong?
Curious ;@)


Hi Rip ! Yes issue is resolved - our issue was having a singular main domain that is updated by standalone then multiple mix of "other domains" some by standalone some by dns cloudflare verifcation lets say our main domain is and we host mail for and these also have alias's such as and the issue at hand is is still in use and valid and needs to be updated however isnt pointing anymore to us and STOPS the renewal process -
I couldnt find a simple command in to REMOVE AND all its subdomains from the cert - scouring around I found you can edit the and then force a renewal of the cert thus removing the domains you dont want or possibly also adding new ... in Our case --remove -d would not work as the certs main domain is ( we did not want x3 certs for x3 domains just keep all under one simple cert)


Thank you for your quick response. I know the issue has been marked as resolved and I am being poked by "the system" because I have questions that may affect other users asking for assistance here.

First... Were you able to find the documentation for this on the "official" repo or did you find it elsewhere?

Secondly, Could you give an example of your issuance command after you modified the config file? And how many domains were affected by the new certificate you obtained?
Sorry for so many questions, but I truly believe that your experience can and will benefit others that use the client.


Hi Rip yeah I found the loose process via acmesh-offical issue page, somebody was asking for a simpler inbuilt command way to achieve what I did the exact link is here from 2020 ( I notice the last reply from 2022 was all I needed to guess I was digging in the right place) Request: Add method to EXPAND an already existing certificate · Issue #2743 · acmesh-official/ · GitHub - Neil Pang mentions seeing how many users want it implemented...
For us we had two domains to remove and two to keep - the result ended with two domains being removed and two being kept.
The command used is as below --force --renew -d --server letsencrypt


For total completeness this is the before and after editing the conf file inside

Le_Alt=',,,,,’ <<< Edit Le_Alt
Le_Webroot='dns_cf,dns_cf,dns_cf,dns_cf,dns_cf,dns_cf,dns_cf,dns_cf,dns_cf,no’ <<<< reflect these to above removal or addition

End result prior to force renewal



Thank you. Cheers and best luck from Yachats, Oregon. I PM'd Neilpang on this to take a look at the issue you were experiencing. He may or may not respond. But As a user of I, so far, have not had to remove sub domains from my certificates. But I do see a couple coming.

He may be able to "tweak" or give an example of the process to make it more efficient or effective. And your modifications of existing documentation on the official site may influence him to add to or update current documentation to make some of these kinds of issues more easily resolved by others.

Thanks again.


yes, you can edit the conf file, but it's not recommended to.

You should use the --issue command to apply a new cert for the new domains.