From 2486a5e3965d25344e34c9ef98300f893fcdeb39 Mon Sep 17 00:00:00 2001
From: Paul Buetow <paul@buetow.org>
Date: Sat, 31 Jan 2026 16:38:56 +0200
Subject: fix: don't add www prefix to f3s hosts in ACME config

F3S hosts don't have DNS records for www variants, causing ACME validation
to fail. Only non-f3s hosts get www.hostname as alternative name in cert.

Fixes: audiobookshelf.f3s.buetow.org and other f3s hosts unable to obtain valid TLS certs
Amp-Thread-ID: https://ampcode.com/threads/T-019c1441-7e3a-77cd-890f-cd31df998a31
Co-authored-by: Amp <amp@ampcode.com>
---
 frontends/etc/acme-client.conf.tpl | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/frontends/etc/acme-client.conf.tpl b/frontends/etc/acme-client.conf.tpl
index 473fae3..0c9671d 100644
--- a/frontends/etc/acme-client.conf.tpl
+++ b/frontends/etc/acme-client.conf.tpl
@@ -29,7 +29,11 @@ authority buypass-test {
      next if $host =~ /^(ipv4|ipv6)\./;
 -%>
 <%   # Check if this host has ipv4/ipv6 subdomains that need to be included as SANs
-     my @alt_names = ("www.$host");
+     my @alt_names;
+     # Don't add www prefix for f3s hosts - they don't have DNS records for www variants
+     unless (grep { $_ eq $host } @$f3s_hosts) {
+         push @alt_names, "www.$host";
+     }
      for my $sub_host (@$acme_hosts) {
          if ($sub_host =~ /^(ipv4|ipv6)\.\Q$host\E$/) {
              push @alt_names, $sub_host;
-- 
cgit v1.2.3