Certificate is issued without "www", though contained as SAN!



we have a real strange problem here. A certificate got renewed, but the new certificate does not contain the “www.” subdomain as SAN.

The initial certificate was requested and issued for (eg.) example.org and www.example.org
(commonName: example.org, subjectAltName: example.org, www.example.org) on March 22nd.

On June 22nd, a new certificate was requested, and this contains only example.org as subjectAltName!

To track down the problem, I dumped the CSR which we’re sending for the renewal request. This CSR definitely does contain both names (with/without www).

Can anyone here explain this behaviour? The authorizations for both subdomains are of course still valid; only interesting fact is that one authorization is newer than the other one (looks like the customer ran the authorization for the non-www subdomain again some weeks later). Both authorizations belong to the same ACME account.

The Boulder-Request-Id of the most recent test was wzeLgVvFAtQAAQjLcsfTy_zCL1SbPogf4meIEHtbSCw; if you need the commonName or the CSR please let me know (don’t want to publish that here).

We’re using our “own” ACME client - however, this problem seems not specific to the software but rather to the protocol or the CA/backend.

Thanks & best regards!



Can you rule out that the certificate was issued to a different account key? One possible explanation would be that this other account only had a valid authorization for example.org, in which case the ACME server would discard the www.example.org SAN element from your CSR:

The values provided in the CSR are only a request, and are not guaranteed. The server or CA may alter any fields in the certificate before issuance. For example, the CA may remove identifiers that are not authorized for the account key that signed the request.


Sadly we didn’t log which account key was used for ACME requests. We’ll change that immediately. :wink:
You explanation sounds reasonable, though I’d expect some error message when submitting unauthorized subjectAltNames.
Thank you!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.