Cant get certbot to make multiple domains Subject Alternative Name SAN Certificate

##################################################
My domain is: https://intelligent-db.com but not relevant to this question
I ran this command:
sudo certbot certonly
--manual
--cert-name my-test-site.com
-d 'my-test-site.com,www.my-test-site.com'
--csr /etc/ssl/my-test-site/my-test-site_server.csr
--preferred-challenges dns
It produced this output:
Inconsistent domain requests:
From the CSR: my-test-site.com
From command line/config: my-test-site.com, www.my-test-site.com
My web server is apache 2.4 (not relevant)
The OS my web server runs on is osx 10.10 (not relevant)
My hosting provider, is n/a
I have root access
I'm using cmd line
The version of my client is certbot 1.23.0
I'm using openssl v3
##################################################

Hi i'm trying to create a SAN cert manually with certbot using a csr.
I've created a csr using openssl:
My csr has CN=my-test-site.com
and
Attributes:
Requested Extensions:
X509v3 Subject Alternate Name: www.my-test-site.com

It works if i use it to create a self-signed cert with openssl x509, and the self-signed cert shows me: CN=my-test-site.com and X509v3 Extensions:
X509v3 Subject Alternate Name: DNS: www.my-test-site.com
which looks correct to me.

Now, i can create a LE cert if i run:
sudo certbot certonly
--manual
--cert-name my-test-site.com
-d my-test-site.com
--csr /etc/ssl/my-test-site/my-test-site_server.csr
--preferred-challenges dns
but the created cert shows cert name == CN == SAN = my-test-site.com
even though the SAN field is in the csr.

the docs suggest i can put
-d my-test-site.com -d www.my-test-site.com
or
-d 'my-test-site.com,www.my-test-site.com'

however, if i provide the 2 domains, i get this error:
Inconsistent domain requests:
From the CSR: my-test-site.com
From command line/config: my-test-site.com, www.my-test-site.com

any help appreciated

A few things:

• Please use the staging environment for testing purposes. It looks like you're using the production environment now, which besides adding unnecessary load to the servers, can lead to you hitting rate limits.
• Do you really require the --csr option? Because it's an option which behaves very badly in combination with other features of Certbot. E.g., the certificate and chain are saved in the current directory instead of being stored in /etc/letsencrypt/ and there is no renewal configuration file generated et cetera. My recommendation is NOT to use the --csr option at all.
• If you're absolutely sure about using the --csr option (I'd really would like to hear a very good reason to do so), please show the contents of the CSR.

Hi Osiris, thanks for your reply, not sure if its relevant to my question.
if the --csr option doesn't work, it should be removed from the tool.
as i said, the command works for a single domain, but not for multiple domains. The csr is good, but here's a copy.

-----BEGIN CERTIFICATE REQUEST-----
MIIDGjCCAgICAQAwgZMxCzAJBgNVBAYTAkdCMQ8wDQYDVQQIDAZMb25kb24xDzAN
BgNVBAcMBkxvbmRvbjEMMAoGA1UECgwDYXNoMSgwJgYDVQQDDB9hbWFuZGEtc3Rl
d2FydC1oeXBub3RoZXJhcHkuY29tMSowKAYJKoZIhvcNAQkBFhthbWFuZGFzdGV3
YXJ0c3BhbUBnbWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDKJQN8y5dPOFwYB+S3vIK+qnrBQQKD9nwJgXc2T+XSyHGsS16YNNJ5M/A8vqSI
LodzNTOA6C8sX1EEqw7MemHhm3OJypsThL28YMmSS2joHlGBd995GA0Gx/tnRPwW
cEzWdepr/m6dSx9Ivu9Y11ITyPvqQhsoPeVHD11RSurbLbYyWsbO/NrF6UujX1DS
eFuETY80A3/srBOCIYXCrfunxiQSvI54Qu1IA6bSQgwToDQTpUIGo0k6s1/V8aUT
+cE2tcRywkcBJIIqodTXYWG6TsP3R8j0k7b9rY4wq3titQofLhSeuB1K6C8eBQWc
gzmUJYCzT++2S7RYxnCxn7kHAgMBAAGgQTA/BgkqhkiG9w0BCQ4xMjAwMC4GA1Ud
EQQnMCWCI3d3dy5hbWFuZGEtc3Rld2FydC1oeXBub3RoZXJhcHkuY29tMA0GCSqG
SIb3DQEBCwUAA4IBAQCPxXJt6di6D0C++F0ycwH4zfsRMFccEv+JL+c34feeyycj
z7qw5UTfAa+mMBWkhMDgYam/thudRsmydvCaZOGr8Z2RJr5B8typJwMRdbIM9VxJ
K7r/3VZhaPjhMTorxfwCpa+TqlswFdsySJsnmSpC08NUvieaoi7WfHrHkU1yxt3C
g096PPQCw2g0uhrqobvx+puE+zZDt9Ua1gLipCTFByHsZedGHmBVJ/uzJ9CrqsOo
6EnJWYcXidsVN8YsjV9qbjksjOdHiH34kFs0ZHEawKeVQ8vkZ89HrXHeTPdkg3Py
F2Cy8Xfj6cT1/Zl+gBGzREk2KvY0EZ4zqPIUs13f
-----END CERTIFICATE REQUEST-----

That CSR just has www.amanda-stewart-hypnotherapy.com in the SAN field. If you want the non-www. version as well, you need both names in the SAN field. The CN name is pretty much ignored nowadays, you need all the names in the SAN.

But as @Osiris is saying, manually a giving a CSR to certbot is really unusual, and generally there are much easier ways of whatever it is that you're trying to do.

It does work, but should only be used in very specific situations when the usual options of Certbot won't cut it. I did not read from your post if that's the case.

That's not the case. I just tried to replicate OPs issue, so I generated a CSR with the domain A into the CommonName and www.A in the SAN. It resulted in a certificate (from staging of course) with BOTH hostnames in the SAN..

So I can't replicate OPs issue I'm afraid.

Oh, interesting. I guess I was making an unwarranted assumption there. Might be easier to diagnose if we got the actual log and error message, as I'm wondering if attempts to redact the domain name are causing confusion.

You can read the Boulder code here:

It appends the CommonName to the list of SANs.

If I were OP, I'd just use regular Certbot commands without using --csr so this weird finding isn't a problem to begin with. My guess is that the CSR provided to Certbot is actually not the same CSR as presented here. I couldn't think of any other option.

Or is it maybe some kind of check within certbot, before it's even getting to Boulder? (That's why having the real log & error messages would be helpful.) Are your tests with the same certbot 1.23.0? (Knowing you, they probably are, I'm just trying to follow standard troubleshooting protocol of eliminating the variables.)

I agree, a full log would be helpful.

Nope, 1.25.0.dev0 (But there hasn't been much modification to the core code of Certbot recently I think.)

As an aside, I found the Inconsistent domain requests:\nFrom the CSR message in certbot but nothing like that in Boulder.

I think we all agree we need to see

/var/log/letsencrypt/letsencrypt.log

This may or may-not currently work in Boulder for legacy reasons, however it will be deprecated eventually. Pebble requires every domain in the SAN, and I believe Certbot does too. The CN has been deprecated for several years by RFCs and has really only been supported for legacy concerns.

See:

• Order includes different number of names than CSR specifies (for CSR without subjectAltName) · Issue #233 · letsencrypt/pebble · GitHub
• Certificate request subject commonName domain is not taken into account · Issue #304 · letsencrypt/pebble · GitHub

There has also been a bit of work on Boulder regarding SAN/CN:

• CSR: improve SAN to CN promotion. · Issue #4274 · letsencrypt/boulder · GitHub

The CSR has:

• CN = amanda-stewart-hypnotherapy.com
• SAN = www.amanda-stewart-hypnotherapy.com

Thanks everybody for the feedback.
I have made a new CSR with:

• CN = amanda-stewart-hypnotherapy.com
• SAN = amanda-stewart-hypnotherapy.com,www.amanda-stewart-hypnotherapy.com

however, cerbot is still saying there is a mis-match.

sudo certbot certonly --cert-name amanda-stewart-hypnotherapy.com -d 'amanda-stewart-hypnotherapy.com,www.amanda-stewart-hypnotherapy.com' --csr /etc/ssl/amanda-stewart-hypnotherapy/ash_server.csr --manual --preferred-challenges dns

Inconsistent domain requests:
From the CSR: amanda-stewart-hypnotherapy.com
From command line/config: amanda-stewart-hypnotherapy.com, www.amanda-stewart-hypnotherapy.com

removing the www domain from the certbot command stops the error, but produces a cert with only 1 SAN even though the csr has 2 domains.

Here is the log:

2022-03-03 11:45:47,421:DEBUG:certbot._internal.main:certbot version: 1.23.0
2022-03-03 11:45:47,422:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/local/bin/certbot
2022-03-03 11:45:47,422:DEBUG:certbot._internal.main:Arguments: ['--cert-name', 'amanda-stewart-hypnotherapy.com', '-d', 'amanda-stewart-hypnotherapy.com,www.amanda-stewart-hypnotherapy.com', '--csr', '/etc/ssl/amanda-stewart-hypnotherapy/ash_server.csr', '--manual', '--preferred-challenges', 'dns']
2022-03-03 11:45:47,422:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-03-03 11:45:47,449:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/local/bin/certbot", line 33, in <module>
    sys.exit(load_entry_point('certbot==1.23.0', 'console_scripts', 'certbot')())
  File "/usr/local/Cellar/certbot/1.23.0/libexec/lib/python3.10/site-packages/certbot/main.py", line 19, in main
    return internal_main.main(cli_args)
  File "/usr/local/Cellar/certbot/1.23.0/libexec/lib/python3.10/site-packages/certbot/_internal/main.py", line 1651, in main
    args = cli.prepare_and_parse_args(plugins, cli_args)
  File "/usr/local/Cellar/certbot/1.23.0/libexec/lib/python3.10/site-packages/certbot/_internal/cli/__init__.py", line 452, in prepare_and_parse_args
    return helpful.parse_args()
  File "/usr/local/Cellar/certbot/1.23.0/libexec/lib/python3.10/site-packages/certbot/_internal/cli/helpful.py", line 213, in parse_args
    self.handle_csr(parsed_args)
  File "/usr/local/Cellar/certbot/1.23.0/libexec/lib/python3.10/site-packages/certbot/_internal/cli/helpful.py", line 294, in handle_csr
    raise errors.ConfigurationError(
certbot.errors.ConfigurationError: Inconsistent domain requests:
From the CSR: amanda-stewart-hypnotherapy.com
From command line/config: amanda-stewart-hypnotherapy.com, www.amanda-stewart-hypnotherapy.com
2022-03-03 11:45:47,449:ERROR:certbot._internal.log:Inconsistent domain requests:
From the CSR: amanda-stewart-hypnotherapy.com
From command line/config: amanda-stewart-hypnotherapy.com, www.amanda-stewart-hypnotherapy.com

and here is the CSR...

-----BEGIN CERTIFICATE REQUEST-----
MIIDUzCCAjsCAQAwgZMxCzAJBgNVBAYTAkdCMQ8wDQYDVQQIDAZMb25kb24xDzAN
BgNVBAcMBkxvbmRvbjEMMAoGA1UECgwDYXNoMSgwJgYDVQQDDB9hbWFuZGEtc3Rl
d2FydC1oeXBub3RoZXJhcHkuY29tMSowKAYJKoZIhvcNAQkBFhthbWFuZGFzdGV3
YXJ0c3BhbUBnbWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDKJQN8y5dPOFwYB+S3vIK+qnrBQQKD9nwJgXc2T+XSyHGsS16YNNJ5M/A8vqSI
LodzNTOA6C8sX1EEqw7MemHhm3OJypsThL28YMmSS2joHlGBd995GA0Gx/tnRPwW
cEzWdepr/m6dSx9Ivu9Y11ITyPvqQhsoPeVHD11RSurbLbYyWsbO/NrF6UujX1DS
eFuETY80A3/srBOCIYXCrfunxiQSvI54Qu1IA6bSQgwToDQTpUIGo0k6s1/V8aUT
+cE2tcRywkcBJIIqodTXYWG6TsP3R8j0k7b9rY4wq3titQofLhSeuB1K6C8eBQWc
gzmUJYCzT++2S7RYxnCxn7kHAgMBAAGgejB4BgkqhkiG9w0BCQ4xazBpMAkGA1Ud
EwQCMAAwCwYDVR0PBAQDAgXgME8GA1UdEQRIMEaCH2FtYW5kYS1zdGV3YXJ0LWh5
cG5vdGhlcmFweS5jb22CI3d3dy5hbWFuZGEtc3Rld2FydC1oeXBub3RoZXJhcHku
Y29tMA0GCSqGSIb3DQEBCwUAA4IBAQBNIDnjorT0S0UqIHXm/EqcmLtfIYw8o3Rn
89I1P+puRCCLcEIt5Xui1FJGO9fZaAhNya0zmyc0+0jPi2jKL1vgQZeMD23qk4Al
bFdfZ+NsSiTNHLOhOwWDPxYUIcruKiw7DGc4qWbw0gR9mtC74iVbt3FOlYN1MGyl
5/cqgH2q7m16+nzGtg7afsGH5YUs+3bG36lIgT72rHYAyXipwJUyY5oxYAyAXa+d
W1kiPtz8WvxcZ/N60Lxym29oCT3dodEbUSrNzLjq0qGQDEcpPapMX94dIlYCr1Xn
tWLQai2vWmb1Cd9yVER4hFVqwAsDBTJbCFUCYYX2iHAnrXp4E7c1
-----END CERTIFICATE REQUEST-----

thanks again
jonathan

Thanks. I used your latest CSR and command options but I do not fail with the same error. Was that the entire log file? My certbot runs normally until it requests adding the TXT record to the DNS which of course I cannot do.

The one thing I see is you are not using snap for your certbot install. How did you install v1.23?

Here is the beginning of my log with your csr and options for comparison:

2022-03-03 14:03:08,765:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 1497
2022-03-03 14:03:09,270:DEBUG:certbot._internal.main:certbot version: 1.24.0
2022-03-03 14:03:09,270:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/1842/bin/certbot
2022-03-03 14:03:09,270:DEBUG:certbot._internal.main:Arguments: ['--cert-name', 'mikeash', '-d', 'amanda-stewart-hypnotherapy.com,www.amanda-stewart-hypnotherapy.com', '--csr', 'ash.csr', '--manual', '--preferred-challenges', 'dns', '--preconfigured-renewal']
2022-03-03 14:03:09,270:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#certbot-route53:auth,PluginEntryPoint#dns-route53,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
(****Note: You did not reach the below point in your log)
2022-03-03 14:03:09,316:DEBUG:certbot._internal.log:Root logging level set at 30
2022-03-03 14:03:09,317:DEBUG:certbot._internal.plugins.selection:Requested authenticator manual and installer None
2022-03-03 14:03:09,321:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * manual
Description: Manual configuration or run your own shell scripts
Interfaces: Authenticator, Plugin
Entry point: manual = certbot._internal.plugins.manual:Authenticator
Initialized: <certbot._internal.plugins.manual.Authenticator object at 0x7f8654e5dc70>
Prep: True
2022-03-03 14:03:09,321:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.manual.Authenticator object at 0x7f8654e5dc70> and installer None
2022-03-03 14:03:09,321:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator manual, Installer None
(... considerably more info after this removed for brevity ...)

And to re-iterate, trying to do manual DNS authentication with a manual CSR is almost certainly the most difficult possible way to accomplish whatever you're trying to do. If you're using Apache, why wouldn't you just use the Apache or webroot plugins (or if you prefer DNS-01 authentication, using an automated plugin for your DNS provider) and just let Certbot do its job, which would allow renewals to be automated as well? Why are you trying to make your own CSR and do everything manual?

Hi peter, i'm not sure what you define as 'difficult', i'll agree that the documentation is lamentable - almost circular, but everything i'm trying to do works with a single DNS. it just borks when offerred 2. The docs suggest i'm allowed to run certbot as a one-off manual process, with a supplied csr so that's what i'm choosing to do. I was hoping for some help, rather than the usual stackexchange experience

Oh yes, it should work I agree. And others seem to be trying to follow what you're doing and certbot is working for them. So it's hard to know what's wrong, so I was trying to help by suggesting other things that might accomplish your goals. My best guess at this point is that the CSR you've posted here isn't the same as the file certbot is reading, somehow, or something like that, but it's hard to really know what's going on for sure at this point, if others can't reproduce it.

Hi mike, thanks for taking the time to run that csr. I'm suspecting that the cerbot config is broken here.
I installed it using homebrew, but the vm its running on is not the latest version.
I can't remember why i'm using a csr, so next time i'll try without.
I was unable to find an official 'getting started' guide, so having to learn from people's 'works for me' style blogs

The problem is that using a CSR manually is an unusual use of certbot and what's happening doesn't make any sense to anybody.

It's not your fault you're doing something uncommon, but it's still uncommon, and might even be a bug somewhere.

thanks, the 2nd CSR is different to the 1st one, but looking at mike's log segment, i can see that its accepting the csr.
i'm going to hazard that my build of certbot is broken, or one of its dependancies is.
thanks