ACME cert alternative names?
-
I can't figure out how to add alternative names to a certificate.
I have added the name as a manual DNS in the domain SAN list, but it only generates the certificate for the primary name.
We have 2 servers configured with CARP to failover. One is fw-1A, the other fw-1B and the carp address is fw. If I add individual certificates for those 2, then the CARP address fails, etc.
How does one do that?
-
I have now used "webroot" for the alternative name and that does the trick.
-
However, there's still a problem with the failover server.
The HA Sync transfered the CA for Letsencrypt to the fw-1B machine. If I try to issue a certificate for fw-1B though, the resultant certificate is issued for the wrong CA:
Common Name (CN) fw-1B-5fb672ab7a39f
Organisation (O) pfSense webConfigurator Self-Signed Certificate
Organisational Unit (OU) <Not Part Of Certificate>
Common Name (CN) fw-1B-5fb672ab7a39f
Organisation (O) pfSense webConfigurator Self-Signed Certificate
Organisational Unit (OU) <Not Part Of Certificate>There doesn't seem to be a way to set which CA to use for the new LE certificate?
-
I use acme in a limited sense - but you should be able to just use a wildcard cert vs doing stuff with sans... I was using wildcard when I had a few different hosts behind haproxy..
-
I really don't want to use wildcards, since the domain has other subdomains as well.
-
@lifeboy said in ACME cert alternative names?:
since the domain has other subdomains as well.
Do not communicate 'your' certificate to the other (web) sub domain servers and you'll be fine.
-
Each entry in that list is a SAN
It's even labeled Domain SAN list
It's possible that acme.sh itself doesn't support multiple names with the DNS-Manual method, and input validation doesn't prevent it.
I use multiple SAN entries with RFC 2136 style DNS updates and it works perfectly there.
-
Yeah you could for sure use a wildcard in one instance, and just use specific certs in other instances
-
@jimp Indeed, the SAN addition works now. However, I'm still hoping to figure out why my second server doesn't create correct certificates. I have now removed the certificates and CA, but I ran into the LE rate limiting, so I'll try again later.
-
This post is deleted!