I'm new to the forum, sorry if I'm wrong, I ask for help on renewing a SAN that I use on a mail server (dovecot), if anyone has experience on the subject or knows a better system thank you very much for advice and explanations.
I use acme.sh to manage the SAN, I saw that in the forum if it talks about this and I turn to that here because from the developer I didn't get support. Maybe someone here knows how to help me.
I use the following command
#!/bin/sh acme.sh --issue -d mail.mydomain2.it \ -d mail.domain1.eu --challenge-alias mydomain2.it \ -d mail.domain2.it \ -d mail.domain3.com \ -d mail.domain4.com --challenge-alias mydomain2.it \ -d mail.domain5.it --challenge-alias mydomain2.it \ -d mail.domain6.it --challenge-alias mydomain1.it \ -d mail.domain7.com \ -d mail.domain8.com \ -d mail.domain9.it \ -d mail.domain10.com \ ... -d mail.otherdomain.com \ --keylength 4096 --dns dns_ovh --csr /etc/acme/request.csr --cert-file /etc/acme/acmecert/certificato.cer \ --key-file /etc/acme/acmecert/chiave.key --ca-file /etc/acme/acmecert/certificatoCA.cer --fullchain-file /etc/acme/acmecert/fullchain.cer
both to renew the SAN and to add new domains.
The first problem is that before renewing the SAN I have to individually renew the domains that are present in the SAN, with an incredible waste of time, if I don't do this the SAN won't renew itself.
Second problem is that now it uses --challenge-alias for all domains not just some of the first ones where I set --challenge-alias. This causes the process to fail.
Third problem for example
[Thu 22 Jul 2021, 11:56:49, UTC] Removing txt: mejwSpok4xVEV7gGQMCSuehb4NUZaqJoHJd__RviI8M for domain: _acme-challenge.mydomain1.it
[Thu 22 Jul 2021, 11:56:49, UTC] Using OVH endpoint: ovh-eu
[Thu 22 Jul 2021, 11:56:49, UTC] Checking authentication
[Thu 22 Jul 2021, 11:56:50, UTC] Consumer key is ok.
[Thu 22 Jul 2021, 11:56:54, UTC] Removed: Success
It says it has removed the recod txt but it doesn't actually remove anything so I find myself in the DNS with many records that are no longer needed.
Finally for my purpose I can not use the --csr.
is it advisable to switch from acme.sh to certbot? If yes, someone can tell me how to convert the command I showed using certbot.
Best regard everybody