I'm testing a git-based version of acme-client on OpenBSD 6.0 at the moment and visually comparing source with that in CVS, but this is relevant to OpenBSD 6.1 so bear with me here.
In the git version in revokeproc.c about line 237 we see the following comment following the "Parse the SAN line" text: we don't allowing removing domains from certificates This behavior matches what I saw empirically, which is why I went looking at the source. Inspection of the OpenBSD CVS source, although it doesn't have that comment, appears to follow the same logic. I'm still wading through the ACME protocol spec, but so far I've not seen anything that would prohibit removal of the domain. So my question is: Is this behavior something that should be mentioned in the BUGS section of the man page? Or am I missing something in the protocol spec? To be clear, this would exhibit itself if you took a running configuration of: domain example.com { alternative names { secure.example.com www.example.com } ... } and changed it to: domain example.com { alternative names { www.example.com } ... } Devin