On Tue Feb 24, 2026 at 11:58:51AM +0100, Kirill A. Korinsky wrote:
> On Thu, 19 Feb 2026 21:28:17 +0100,
> Rafael Sadowski <rafael@sizeofvoid.org> wrote:
> > 
> > The following diff extends the keypair keyword in relayd.conf to allow
> > explicit path specifications for certificates, private keys, and OCSP
> > staple files.
> > 
> > Currently, relayd relies on a fixed lookup logic, searching for TLS
> > crt/key in /etc/ssl and /etc/ssl/private based on the keypair name and
> > port.
> > 
> > That has always annoyed me, since all other applications must comply
> > with the naming convention of relayd.
> > 
> > The idea is simple, the keypair statement now supports optional
> > certificate, key, and ocsp keywords followed by a path:
> > 
> > keypair name [certificate path [key path [ocsp path]]].
> >
> 
> But it makes layout of the key simpler to manage.

And this possibility is still there.

> 
> Why not to move in the opposite direction and simplify acme-client.conf as
> probably good source of certificates and keys to:
> 
> domain example.com {
> 	alternative names { secure.example.com }
> 	domain [full chain] keypair name example.com
> 	sign with letsencrypt
> }

acme-client was not meant here. Let's say you have a wildcard
certificate. Would do you do?