Acquiring a wildcard certificate from Let's Encrypt via `acme-client(1)`

I have a valid certificate from Let's Encrypt that covers both foo.bar and www.foo.bar. I'd like to add a wiki.foo.bar and likely many others in the future, so a wildcard certificate sounds appropriate.

My web server is via httpd(8) on OpenBSD 6.8 and, as such, I used acme-client(1) to set up the current Let's Encrypt certificate. The issue is, most of the available Let's Encrypt documentation is exclusively for certbot, rather than acme-client(1) (which is unsurprising).

When I add the wiki.foo.bar subdomain to my /etc/acme-client.conf configuration and then run sudo acme-client -vv foo.bar, it complains with acme-client: /etc/ssl/foo.bar.crt: domain not listed: wiki.foo.bar. It also doesn't seem appropriate to perform any sort of revocation either.

Assuming it's even possible, how do I get a wildcard certificate from Let's Encrypt using acme-client(1)? Otherwise, how do I add a subdomain to an existing Let's Encrypt certificate?

Solution 1:

Let's Encrypt wildcard certificates require DNS-01 challenge type. OpenBSD acme-client only supports http-01 challenge type. If you want a wildcard certificate from Let's Encrypt, one easy way is to use acme.sh

To support an additional subdomain using acme-client, you can just create a new cert using only the subdomain in the same way you created the previous cert, or create a new cert using the domain and all of the subdomains, then delete the previous cert.