Certbot picks up wrong CN from the SAN list while renewing/creating cert

i am using certbot --certonly utility to renew / issue certs. I have mutiple SAN list which consists around 8 names.
command: certbot certonly kid=xxx key=xxx --server "https://xxx/" --config /cert/cert.conf --cert-name "x1.com" -d "x1.com" --key-type "rsa" --rsa-key-size 2048 -d "x2.com,x3.com,x4.com,x5.com,x6.com,x7.com,x8.com,x9.com,x9.com" --webroot -w /cert/certbot-certs

when i run this command multiple times certificate common name is changed and randomly picked up from SAN list. ("x2.com,x3.com,x4.com,x5.com,x6.com,x7.com,x8.com,x9.com,x9.com")

I need certificate common name to be same as specified by first -d option (-d "x1.com")

is this possible ?

This doesn't appear to be an option in certbot, but I think you can do it if you provide your own CSR:

It can be done in some other ACME clients.


I believe Let's Encrypt uses the first SAN entry as CN. They did change this behaviour some time ago though, but I thought they reversed that decision? In a post on the Certbot Github repo @jsha said:

Update on the community thread: at Let's Encrypt we're going back to the old behavior for now (first SAN from CSR promoted to Subject CN instead of alphabetically-first SAN). But we still plan to push towards no-Subject-CN issuance for almost everyone, and eventually for everyone.

Maybe LE changed something again?


What certificate authority are you using?



It might be tough to find out Digicert's issuance policies from the Let's Encrypt Community Forum. :slight_smile:

I think this is an interesting thing to understand and document, including about other CAs, but it's unlikely that people here will know the answer offhand. There are Certbot developers here who can tell you about Certbot behavior, but the content of the issued cert is ultimately determined by the issuer, not the requester.


from certbot source code certbot doesn't fill CN and end CSR without any CN to ACME server


Correct. That's why @webprofusion suggested to generate and provide your own CSR with CN. Although I don't recommend Certbot using a separate CSR, as that behaviour is very different from other Certbot modes of operation and e.g. cannot be renewed automatically IIRC.


It may be easier to fix whatever system is requiring a particular CN, than to try to coerce certbot and Digicert to giving you that CN. The industry is moving toward trying to get rid of having any domain name in the CN entirely.


I have to ask....
For this specific purpose, do you really need a cert that covers multiple names?
[if you request a cert with only one name, then the CN is guaranteed]


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.