Adding the 'www' subdomain to a certificate request in OpenBSD's acme-client

Page created: 2026-05-28

Back to OpenBSD or OpenBSD httpd.

The goal is to add the www subdomain to my Let’s Encrypt certificate for ratfactor.com. (For some reason, people (or programs?) often get to my website via www.ratfactor.com even though I don’t believe I ever publish links that way. I guess old habits die hard?)

This is one of those things that is impossible to find via Web search engine these days, so I pieced it together from the acme-client and acme-client.conf man pages and took a leap of faith. It turned out to be totally painless!

Adding alternative names

Here’s the relevant section of the acme-client.conf regarding the "alternative names" list:

 alternative names {...}
         A list of alternative names, comma or space separated, for which
         the certificate will be valid.  The common name is included
         automatically if this option is present, but there is no
         automatic conversion/inclusion between "www." and plain domain
         name forms.

So I edited the configuration file:

$ doas vim /etc/acme-client.conf

And added the fully-qualified subdomain as an "alternative name":

domain ratfactor.com {
	alternative names { www.ratfactor.com }
	domain key "/etc/ssl/private/ratfactor.com.key" rsa
	domain full chain certificate "/etc/ssl/ratfactor.com.fullchain.pem"
	sign with "letsencrypt"
}

Checked syntax with the -n flag:

$ doas acme-client -n     # silently checks the config
$ doas acme-client -n -v  # checks and *shows* the config

Okay, here goes nothing with a real request to Let’s Encrypt. Note that the -v (verbose) flag shows what’s going on:

$ doas acme-client -v ratfactor.com
...
acme-client: /etc/ssl/ratfactor.com.fullchain.pem: domain list changed, forcing renewal
...
acme-client: /etc/ssl/ratfactor.com.fullchain.pem: created

I knew I’d done something right when I saw that "domain list changed, forcing renewal" message.

Finally, restart httpd to load the new certificate:

doas rcctl reload httpd

I loaded the www.ratfactor.com URL in my browser and just like that, no more scary warnings about the certificate. Nice!

I also viewed the certificate info in the browser and it showed:

Subject Alt Names
    DNS Name    ratfactor.com
    DNS Name    www.ratfactor.com

Great!

Note: I originally wrote up my experience setting up a certificate for the first time here: Dave’s OpenBSD Blog #9: OpenBSD httpd (ACME client for certs)