diff --git a/services/kanidm/default.nix b/services/kanidm/default.nix
index ad45c39..69a57d1 100644
--- a/services/kanidm/default.nix
+++ b/services/kanidm/default.nix
@@ -39,9 +39,11 @@
   users.users.kanidm.extraGroups = [ "acme" ];
 
   # ACME certificate from internal CA
+  # Include both the CNAME (auth) and A record (kanidm01) for Prometheus scraping
   security.acme.certs."auth.home.2rjus.net" = {
     listenHTTP = ":80";
     reloadServices = [ "kanidm" ];
+    extraDomainNames = [ "${config.networking.hostName}.home.2rjus.net" ];
   };
 
   # Vault secret for idm_admin password