ACME.SH Multiple domain DNS

A multi domain certificate we have that uses DNS ALIAS + standalone is failing to renew due to ONE of the domains not being used any more
acme.sh ver 3.0.5

as there are many domains using the one certificate with "alternate names" i dont wish to remove the cert. How can i remove ONE domain + its aliases eg webmail.exampledomain.com from the renewal process - Do I edit the main domains .conf file manually ? I have tried using acme.sh --remove -d exampledomain.com name but this fails of course because the main domain the cert is under isnt listed as exampledomain.com its anotherdomain.com the renewal uses a combination of dn alias and standalone for the domains it covers .
The error on renewal quotes the exampledomain.com Sign failed, finalize code is not 200.
"type": "urn:ietf:params:acme:error:caa",
"detail": "Error finalizing order :: While processing CAA forDNS problem: networking error looking up CAA for exampledomain.com"
"status": 403

1 Like

I shouldve kept going .... the answer is in the main domains cert.conf file .... simply edit the
Le_Alt= domains or aliases you dont want or want to ADD
then also edit
Le_Webroot= to match the removed or added names
Save, then FORCE cert renewal again will succeed.

2 Likes

Hi @MacEncrypt Welcome to the forum...
So from reading your second post you resolved the issue..yes?
My question is; Did you intend to remove exampledomain.com and all it's subdomains or did I read that wrong?
Curious ;@)

5 Likes

Hi Rip ! Yes issue is resolved - our issue was having a singular main domain that is updated by standalone then multiple mix of "other domains" some by standalone some by dns cloudflare verifcation lets say our main domain is mastermaildomain.com and we host mail for someotherdomain.com and anotherexampledomain.com these also have alias's such as webmail.someotherdomain.com and mail.anotherexampledomain.com the issue at hand is mastermaildomain.com is still in use and valid and needs to be updated however someotherdomain.com isnt pointing anymore to us and STOPS the renewal process -
I couldnt find a simple command in acme.sh to REMOVE someotherdomain.com AND all its subdomains from the cert - scouring around I found you can edit the mastermaildomain.com.conf and then force a renewal of the cert thus removing the domains you dont want or possibly also adding new ... in Our case acme.sh --remove -d someotherdomain.com would not work as the certs main domain is mastermaildomain.com ( we did not want x3 certs for x3 domains just keep all under one simple cert)

2 Likes

Thank you for your quick response. I know the issue has been marked as resolved and I am being poked by "the system" because I have questions that may affect other acme.sh users asking for assistance here.

First... Were you able to find the documentation for this on the "official" acme.sh repo or did you find it elsewhere?

Secondly, Could you give an example of your issuance command after you modified the config file? And how many domains were affected by the new certificate you obtained?
Sorry for so many questions, but I truly believe that your experience can and will benefit others that use the acme.sh client.

4 Likes

Hi Rip yeah I found the loose process via acmesh-offical issue page, somebody was asking for a simpler inbuilt command way to achieve what I did the exact link is here from 2020 ( I notice the last reply from 2022 was all I needed to guess I was digging in the right place) Request: Add method to EXPAND an already existing certificate · Issue #2743 · acmesh-official/acme.sh · GitHub - Neil Pang mentions seeing how many users want it implemented...
For us we had two domains to remove and two to keep - the result ended with two domains being removed and two being kept.
The command used is as below
acme.sh --force --renew -d mailserver.mastermaildomainthisisonlyforanexampletoshowyou.com --server letsencrypt

3 Likes

For total completeness this is the before and after editing the conf file inside
.acme.sh/mailserver.mastermaildomainthisisonlyforanexmpletoshowyou.com/mailserver.mastermaildomainthisisonlyforanexmpletoshowyou.com.conf

Le_Domain='mailserver.mastermaildomainthisisonlyforanexmpletoshowyou.com'
Le_Alt='mail.someotherdomain.com,webmail.someotherdomain.com,someotherdomain.com,autodiscover.someotherdomain.com,autodiscover.someotherdomain.com,mail.anotherdomainexample.com’ <<< Edit Le_Alt
Le_Webroot='dns_cf,dns_cf,dns_cf,dns_cf,dns_cf,dns_cf,dns_cf,dns_cf,dns_cf,no’ <<<< reflect these to above removal or addition
Le_PreHook=''
Le_PostHook=''
Le_RenewHook=''

End result prior to force renewal

Le_Domain='mailserver.mastermaildomainthisisonlyforanexmpletoshowyou.com'
Le_Alt='mail.anotherdomainexample.com
Le_Webroot='dns_cf,no’
Le_PreHook=''
Le_PostHook=''
Le_RenewHook=''

3 Likes

Thank you. Cheers and best luck from Yachats, Oregon. I PM'd Neilpang on this to take a look at the issue you were experiencing. He may or may not respond. But As a user of acme.sh I, so far, have not had to remove sub domains from my certificates. But I do see a couple coming.

He may be able to "tweak" or give an example of the process to make it more efficient or effective. And your modifications of existing documentation on the official site may influence him to add to or update current documentation to make some of these kinds of issues more easily resolved by others.

Thanks again.

4 Likes

yes, you can edit the conf file, but it's not recommended to.

You should use the --issue command to apply a new cert for the new domains.

3 Likes