ACME cert alternative names?


  • I can't figure out how to add alternative names to a certificate.

    I have added the name as a manual DNS in the domain SAN list, but it only generates the certificate for the primary name.

    26021cef-8ad6-4ec4-b1d7-f6a14c02b996-image.png

    We have 2 servers configured with CARP to failover. One is fw-1A, the other fw-1B and the carp address is fw. If I add individual certificates for those 2, then the CARP address fails, etc.

    How does one do that?


  • I have now used "webroot" for the alternative name and that does the trick.


  • However, there's still a problem with the failover server.

    The HA Sync transfered the CA for Letsencrypt to the fw-1B machine. If I try to issue a certificate for fw-1B though, the resultant certificate is issued for the wrong CA:

    Common Name (CN) fw-1B-5fb672ab7a39f
    Organisation (O) pfSense webConfigurator Self-Signed Certificate
    Organisational Unit (OU) <Not Part Of Certificate>
    Common Name (CN) fw-1B-5fb672ab7a39f
    Organisation (O) pfSense webConfigurator Self-Signed Certificate
    Organisational Unit (OU) <Not Part Of Certificate>

    There doesn't seem to be a way to set which CA to use for the new LE certificate?

  • LAYER 8 Global Moderator

    I use acme in a limited sense - but you should be able to just use a wildcard cert vs doing stuff with sans... I was using wildcard when I had a few different hosts behind haproxy..


  • I really don't want to use wildcards, since the domain has other subdomains as well.


  • @lifeboy said in ACME cert alternative names?:

    since the domain has other subdomains as well.

    Do not communicate 'your' certificate to the other (web) sub domain servers and you'll be fine.

  • Rebel Alliance Developer Netgate

    Each entry in that list is a SAN

    It's even labeled Domain SAN list

    It's possible that acme.sh itself doesn't support multiple names with the DNS-Manual method, and input validation doesn't prevent it.

    I use multiple SAN entries with RFC 2136 style DNS updates and it works perfectly there.

  • LAYER 8 Global Moderator

    Yeah you could for sure use a wildcard in one instance, and just use specific certs in other instances


  • @jimp Indeed, the SAN addition works now. However, I'm still hoping to figure out why my second server doesn't create correct certificates. I have now removed the certificates and CA, but I ran into the LE rate limiting, so I'll try again later.