Hi,
we have a real strange problem here. A certificate got renewed, but the new certificate does not contain the “www.” subdomain as SAN.
The initial certificate was requested and issued for (eg.) example.org
and www.example.org
(commonName: example.org
, subjectAltName: example.org
, www.example.org
) on March 22nd.
On June 22nd, a new certificate was requested, and this contains only example.org
as subjectAltName!
To track down the problem, I dumped the CSR which we’re sending for the renewal request. This CSR definitely does contain both names (with/without www).
Can anyone here explain this behaviour? The authorizations for both subdomains are of course still valid; only interesting fact is that one authorization is newer than the other one (looks like the customer ran the authorization for the non-www subdomain again some weeks later). Both authorizations belong to the same ACME account.
The Boulder-Request-Id
of the most recent test was wzeLgVvFAtQAAQjLcsfTy_zCL1SbPogf4meIEHtbSCw
; if you need the commonName or the CSR please let me know (don’t want to publish that here).
We’re using our “own” ACME client - however, this problem seems not specific to the software but rather to the protocol or the CA/backend.
Thanks & best regards!
-Klaus