we have a real strange problem here. A certificate got renewed, but the new certificate does not contain the “www.” subdomain as SAN.
The initial certificate was requested and issued for (eg.)
www.example.org) on March 22nd.
On June 22nd, a new certificate was requested, and this contains only
example.org as subjectAltName!
To track down the problem, I dumped the CSR which we’re sending for the renewal request. This CSR definitely does contain both names (with/without www).
Can anyone here explain this behaviour? The authorizations for both subdomains are of course still valid; only interesting fact is that one authorization is newer than the other one (looks like the customer ran the authorization for the non-www subdomain again some weeks later). Both authorizations belong to the same ACME account.
Boulder-Request-Id of the most recent test was
wzeLgVvFAtQAAQjLcsfTy_zCL1SbPogf4meIEHtbSCw; if you need the commonName or the CSR please let me know (don’t want to publish that here).
We’re using our “own” ACME client - however, this problem seems not specific to the software but rather to the protocol or the CA/backend.
Thanks & best regards!