Re: acme-client error: unknown SAN entry
On Sun, Feb 7, 2021 at 4:49 PM Stuart Henderson wrote: > On 2021-02-07, David Higgs wrote: > > acme-client: /etc/ssl/primary.example.com.crt: unknown SAN entry: > > alternate.example.com > > acme-client: bad exit: revokeproc(55821): 1 > > > > (My real domain is legitimate, and not example.com.) > > > > I recently decommissioned one of the aliases for my servers, but my > nightly > > acme-client run threw an error. Although I removed the alias from > > acme-client.conf, it is obviously still present in my certificate and > seems > > to be confusing the renewal process. > > > > Does anyone know how to resolve this? I tried force-renewal (-F) without > > success but haven't tried revoking yet. Is it possible to fix without > > revocation? > > > > Thanks. > > > > --david > > > > Update to -current, or move /etc/ssl/primary.example.com.crt out the way. > For the archives: I moved the cert as suggested, manually ran my nightly script, and everything worked great. Thanks! --david
Re: acme-client error: unknown SAN entry
On 2021-02-07, David Higgs wrote: > acme-client: /etc/ssl/primary.example.com.crt: unknown SAN entry: > alternate.example.com > acme-client: bad exit: revokeproc(55821): 1 > > (My real domain is legitimate, and not example.com.) > > I recently decommissioned one of the aliases for my servers, but my nightly > acme-client run threw an error. Although I removed the alias from > acme-client.conf, it is obviously still present in my certificate and seems > to be confusing the renewal process. > > Does anyone know how to resolve this? I tried force-renewal (-F) without > success but haven't tried revoking yet. Is it possible to fix without > revocation? > > Thanks. > > --david > Update to -current, or move /etc/ssl/primary.example.com.crt out the way.
acme-client error: unknown SAN entry
acme-client: /etc/ssl/primary.example.com.crt: unknown SAN entry: alternate.example.com acme-client: bad exit: revokeproc(55821): 1 (My real domain is legitimate, and not example.com.) I recently decommissioned one of the aliases for my servers, but my nightly acme-client run threw an error. Although I removed the alias from acme-client.conf, it is obviously still present in my certificate and seems to be confusing the renewal process. Does anyone know how to resolve this? I tried force-renewal (-F) without success but haven't tried revoking yet. Is it possible to fix without revocation? Thanks. --david