@pfg, I asked @bmw about the history of Certbot releases and what they did about preserving the requested domain order.
In all released and planned Certbot versions, you’ll still have the old lineage name (in terms of what the certificate lineage is called on disk).
@bmw says that for renewal with
certonly (or initially issuance with
certonly or when running with
run or no specific verb), you’ll preserve the order of requested names from the command-line
-d arguments in all versions except 0.5.0.
certonly renew, you’ll get alphabetical order in 0.4.0 to 0.5.0, random order in 0.5.0, alphabetical order in 0.6.0 until now, and, in the upcoming release, the order will be preserved.
So depending on what you have and what you want, you may or may not be able to “fix” it when upgrading to a new version. (It’s always possible to delete existing lineages completely by deleting all associated files in
/etc/letsencrypt, and then make fresh lineages from scratch; you also have to be careful not to leave behind any references to the old lineages’ files in web server config files.)