Choose domain for expanded certificate


#1

Hi,

I have several subdomains that I have certificates for. When I expand my certificates to cover all the subdomains, it seems like LetsEncrypt randomly chooses a subdomain to display for the certificate.

Example:
domain.com www.domain.com beta.domain.com hello.domain.com

It randomly chooses hello.domain.com to display on the certificate. This doesn’t really make sense. I would like it to display domain.com.

I have tried updated the /etc/letsencrypt/renewal/domain.conf file. I put domain.com first in the list of domains, but that did not do anything.

I also tried deleting all my other certificates. Restarting with just a certificate for domain.com. Then going back and expanding it out. That did not work either. Still displays a subdomain on the certificate that doesn’t really make sense and shouldn’t be there.

Thanks for any help.


#2

Hi @eolson, is your concern covered by this issue?


#3

Yes thanks, that does look like my issue. It looks like it’s considered more of a “feature” than an issue though.

Right now when someone clicks to view the certificate, they see a subdomain that is internally used. So that is confusing. If there is no way to order these SAN’s ( or choose the one shown by the cert ). I may have to go back to using a single certificate for each subdomain.


#4

I suppose the OP is referring to the CN not the order of the SANs.

For me the first domain entered is used as the CN.


#5

@eolson the randomization is not a featuer, but a bad side-effect OF a feature (lower-casing all names and remove duplicates)


#6

@eolson, I think it is possible that Boulder will be changed to stop having this behavior, but it doesn’t look like there has been concrete work toward that yet. It might be helpful if you could comment on the GitHub issue (or I can comment for you if you’d like me to).