In anticipation of backwards incompatible changes, certbot-dns-cloudflare now
requires less than version 2.20 of Cloudflare's python library.
Fixed
Fixed a bug in Certbot where a CSR's SANs did not always follow the order of
the domain names that the user requested interactively. In some cases, the
resulting cert's common name might seem picked up randomly from the SANs
when it should be the first item the user had in mind.
More details about these changes can be found on our GitHub repo.
While Let's Encrypt might do that (I don't know and didn't check ) there are other ACME CAs that depend on the order. I had a similar bug report for the Ansible acme_certificate module recently; I stored the names in a set (which has a 'random' order) and thus sent them in a different order when creating the ACME order than they were in the CSR. Since the CA the reported used was using the names from the order and not the submitted CSR, it resulted in certificates issued that caused problems due to having the wrong common name.
Let’s Encrypt promotes the first eligible domain from the CSR to the CN, unless a CN is provided in the CSR. The names are eventually sorted to produce the SANs in the certificate. There was an unintentional change in 2023 that used the sorted list instead but that was quickly reverted.