Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
The operating system my web server runs on is (include version):TrueNAS-SCALE-22.12.0
My hosting provider, if applicable, is: self
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
I have added an entry to CNAME to my domain office.vadim.com.ru but my cert does not cover it for some reason. I installed it as a wildcard and it really should. It affects running Collabora (LibreOffice) on my own server. It worked for some time with disabled verification but it stopped working completely
Not according to the screenshots you posted--according to those (and according to the certificate search at crt.sh), your cert covers only vadim.com.ru, not *.vadim.com.ru. If you want it to be a wildcard cert, you need to include the wildcard subdomain in the cert.
So, can I add a CNAME from my domain to your domain... test.example.com CNAME vadim.com.ru
And your cert will automatically cover the name I used as my test too?
Obviously, DNS can't insert a name into a certificate.
If you need a name in a certificate, then you must get a new certificate that covers that name.
You mention a wildcard [which would cover the extra name], but no wildcard has been issued for that domain: crt.sh | vadim.com.ru
Yes, and the error is exactly what it says--you haven't issued a cert for *.vadim.com.ru, so acme.sh can't renew that cert.
The command should be acme.sh --issue --dns dns_yandex -d vadim.com.ru -d *.vadim.com.ru --dnssleep 7200, assuming you want a wildcard cert (I assume you do, given your apparent belief that you already had one, but I wonder what made you think you had one). If you wanted a separate cert for office., you could do that instead, import it with a different name (i.e., set a different cert_base_name for my script), and tell the Collabora app to use that cert rather than the default letsencrypt cert. But a wildcard is probably the simpler way to go.
AFAIK my script works for SCALE too; the API endpoints and methods are all the same, at least according to the docs. I haven't heard anything about this cert-manager to know how relevant or useful it would be.
I'll definitely try it - I'll put in the scripts folder along with truetool. In the meanwhile I got the new cert and copied it into the Certificates and got Collabora to use it. Everything is up and running and I really appreciate all the help from you gentlemen ( I assume so)
@danb35 I have another weird issue with this new wildcard cert - it works for my subdomain office.domain.com but does not work for nextcloud for some reason. That's what I get in the browser: vadim.com.ru uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
View Certificate. As soon as I use my old one it works fine> How come?