diff --git a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml
index f3edbcf0a..da015154c 100644
--- a/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml
+++ b/security/acme-client/src/opnsense/mvc/app/controllers/OPNsense/AcmeClient/forms/dialogCertificate.xml
@@ -23,7 +23,7 @@
select_multiple
true
- NOTE:Cannot be altered once the certificate was signed by the Let's Encrypt Authority! You need to create a new certificate to add additional names.
]]>
+ NOTE:You need to forcefully re-issue the certificate if you change "Alt Names" after the certificate was signed by the Let's Encrypt Authority! Use the "issue" button in the Commands column in this case.
]]>
Enter FQDN here. Finish with TAB.
diff --git a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
index 16666ea93..8f3ac324f 100644
--- a/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
+++ b/security/acme-client/src/opnsense/mvc/app/views/OPNsense/AcmeClient/certificates.volt
@@ -269,7 +269,7 @@ POSSIBILITY OF SUCH DAMAGE.
{
if (gridParams['sign'] != undefined) {
var uuid=$(this).data("row-id");
- stdDialogRemoveItem('Sign/renew selected certificate?',function() {
+ stdDialogRemoveItem('Forcefully (re-)issue the selected certificate?',function() {
// Handle HAProxy integration (no-op if not applicable)
ajaxCall(url="/api/acmeclient/settings/fetchHAProxyIntegration", sendData={}, callback=function(data,status) {
ajaxCall(url=gridParams['sign'] + uuid,sendData={},callback=function(data,status){
diff --git a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
index c4e3939a0..ac4a61bec 100755
--- a/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
+++ b/security/acme-client/src/opnsense/scripts/OPNsense/AcmeClient/certhelper.php
@@ -442,7 +442,15 @@ function run_acme_validation($certObj, $valObj, $acctObj)
$proc_pipes = array();
// Do we need to issue or renew the certificate?
- $acme_action = !empty((string)$certObj->lastUpdate) ? "renew" : "issue";
+ if (!empty((string)$certObj->lastUpdate) and !isset($options["F"])) {
+ $acme_action = "renew";
+ } else {
+ // Default: Issue a new certificate.
+ // If "-F" is specified, forcefully re-issue the cert, no matter if it's required.
+ // NOTE: This is useful if altNames were changed or when switching
+ // from acme staging to acme production servers.
+ $acme_action = "issue";
+ }
// Calculate next renewal date
$last_update = !empty((string)$certObj->lastUpdate) ? (string)$certObj->lastUpdate : 0;