I did an experiment, that seems to work by my side at least to obtain a certificate with alternative names. Curl’s proof:
* Server certificate:
* subject: CN=nethservice.nethesis.it
* start date: Apr 29 09:15:43 2024 GMT
* expire date: Jul 28 09:15:42 2024 GMT
* subjectAltName: host "mail.nethesis.it" matched cert's "mail.nethesis.it"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
What we were missing is a fix to the rule line:
rule: Host(`mail.domain.com`, `smtp.domain.com`, `imap.domain.com`) && Path(`/cd98a9c8-24c2-441b-a6d5-159afe0b1822`)
Alternative names must be listed inside the Host() matcher, as stated in “Multiple Hosts in a Rule” Traefik Routers Documentation - Traefik
When the file is saved, Traefik picks up the new configuration immediately. However an HTTP request matching the rule is needed to trigger a cert request, as Matteo said:
I’d try for every altName, just to be sure…
This is not needed, and must be use with caution because restarting Traefik might generate too much Acme requests, which leads to the API rate limit cap.
Editing the certificate .yml file manually might break the API responses and the HTTP routes page.
Edit: there’s also another issue by my side: Mail ignores the host name and refuses to reload the certificate. In the Mail log I see:
Apr 29 12:15:45 ns8n5 agent@mail11[2408658]: Event ignored: the certificate does not match our hostname