Add domain with acme-client on OpenBSD 6.3


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: andrewgrillet.uk

After adding an additional domain shop.andrewgrillet.uk,

I ran this command: acme-client andrewgrillet.uk

It produced this output:
acme-client: /etc/ssl/andrewgrillet.uk.crt: domain not listed: shop.andrewgrillet.uk

I also ran this command: acme-client -a andrewgrillet.uk

It produced this output:
unknown option – a
usage: acme-client [-ADFnrv] [-f configfile] domain

My web server is (include version): httpd

The operating system my web server runs on is (include version): OpenBSD 6.3

My hosting provider, if applicable, is: Myself

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No


#2

Hi @acgrillet

looks like acme-client is case-sensitive.

So use -A instead of -a.


#3

-A means Create a new Account with Letsencrypt - something completely different. I want to add an additional domain to my certificate. This was -a in the old version of acme-client, but the option no longer exists in the new version.


#4

Checking this

https://kristaps.bsd.lv/acme-client/

Add the -e flag, which allows for extending certificates with new SAN domains.


#5

-e was for the old version - not supported in the current version:

acme-client -e andrewgrillet.uk
acme-client: unknown option – e
usage: acme-client [-ADFnrv] [-f configfile] domain


#6

Apparently there are two separate forks of acme-client:

The OpenBSD version which you are using reads its settings from the configuration file (/etc/acme-client.conf by default); the format of this configuration file is described in the acme-client.conf(5) man page. Additional domains should be specified using the alternative names option in the configuration file.


#7

I know. However, if you have created certificates, and then edit acme-client.conf to add a domain (or several), it does not allow you to do it, saying you already have a valid certificate, and a certificate supporting the new domains is not created.

I assume that either (a) you should have the option of setting a flag to say you want to add more domains, or (b) you should be told you can’t, and that you must delete the old certificate (preferably telling you which file(s) to delete).

Eventually, I deleted the old cert and started again, but I do not think it is OK to leave it like this. I would normally expect to debug with only one domain, and then add the others. I expect some people add domains quite frequently, and letsncrypt or acme-client only supports a single cert per server, and some people may have a single server supporting may domains, each with many subdomains. The present solution is not great in that kind of scenario.