Multi-domain cert with FreeBSD acme-client

I have acme-client installed on a FreeBSD 11 server running postfix acting as a mail relay. This server needs to receive mail for multiple domains, so I need a single cert that’s valid for hostnames across multiple domains. For example:,,, etc. However, I’m having trouble doing that with acme-client. Here’s what I’ve tried so far:

Adding all hostnames at the same time:

acme-client -vNnse -C /usr/local/etc/acme/www/ -c /usr/local/etc/acme/ssl -k /usr/local/etc/acme/ssl/privkey.pem -f /usr/local/etc/acme/privkey.pem
acme-client: bad domain syntax

One hostname at a time (attempting to add hostnames to an existing cert):

# the first hostname
acme-client -vNnse -C /usr/local/etc/acme/www/ -c /usr/local/etc/acme/ssl -k /usr/local/etc/acme/ssl/privkey.pem -f /usr/local/etc/acme/privkey.pem 
# Successful

# on to the next hostname...
acme-client -vNnse -C /usr/local/etc/acme/www/ -c /usr/local/etc/acme/ssl -k /usr/local/etc/acme/ssl/privkey.pem -f /usr/local/etc/acme/privkey.pem`
acme-client: /usr/local/etc/acme/privkey.pem: account key exists (not creating)
acme-client: /usr/local/etc/acme/ssl/privkey.pem: domain key exists (not creating)
acme-client: /usr/local/etc/acme/ssl/cert.pem: unknown SAN entry:
acme-client: bad exit: revokeproc(92643): 1
# failure

Is this something that acme-client is capable of doing? The man page would suggest that it is:

-e      Allow expanding the domains listed in the certificate.  This is a
no-op if no certificate exists yet.  If a new domain is
specified, the certificate will be renewed as if -F were also

If so, what is the correct syntax?
Thanks in advance.

By the look of it seems like your two domain names are treated as a single parameter/argument (see around line 270). That for example might happen if the command copied from Lync messenger (and ends up with nasty invisible characters) :slight_smile:

Alternatively you can try and see if that works for you.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.