Certificate not issuing with the correct common name first

Help! I have been issuing and renewing SSL certificates for a couple of years with Let's Encrypt, and within the last 12 days, it started issuing certificates with the Common Name not being the first one I specify on the command line. See my command below. My web host will only accept certificates with "www" in front of the domain name, e.g. www.withheathermartin.com but the website itself is hosted on withheathermartin.com without the www. So, certbot is run with the "www" version listed as the first domain name, followed by the non-www version next. However, the certificate is returned with the non-www version as the Common Name, and the cert is being rejected by my web host due to this. This changed recently, because examining the certificates issued prior to this issue, they all came back with the "www" version listed as the Common Name (I just checked the logs to confirm).

I am confirming the Common Name by running this command on each certificate:
openssl x509 -noout -text -nameopt multiline -in cert.pem

The domains listed below all are affected by this and have a certificate that's expiring soon because the new certificate issued by Let's Encrypt is not putting the first domain name as the Common Name. I don't have much room for experimentation with command line parameters because Let's Encrypt locks me out of revoking and re-creating certificates after several attempts, so I'm locked out until tomorrow sometime.

I have tried using the --cert-name command line option to force a specific common name, but that isn't working.

Please help! Thank you!

My domains are: withheathermartin.com, wendy-mccann.com, withheathermartin.com, wisefamilyessentials-com, walkinfreedom-net, wendysater.com, wandajohnson.net

I ran this command:

certbot certonly --manual --preferred-challenges http -d www.withheathermartin.com -d withheathermartin.com --config-dir ssl-config-dir --work-dir ssl-working-dir --logs-dir ssl-logs-dir --non-interactive --manual-auth-hook "ssl-automation/authenticator.sh getoiling" --manual-cleanup-hook "ssl-automation/cleanup.sh getoiling" --agree-tos --email redacted@attractwell.com --manual-public-ip-logging-ok

It produced this output:
(Generated a certificate - see description above)

My web server is (include version): Apache, via Liquid Web Cloud Sites

The operating system my web server runs on is (include version): CentOS 7

My hosting provider, if applicable, is: Liquid Web / Cloud Sites

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.11.0



1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.