Common Name change after using --expand flag


I find myself with a Common Name (CN) that I hadn’t expected.

When I first requested the certificate for the Web site in question, I requested a certificate for ‘’ and that was all.


letsencrypt certonly --webroot --webroot-path /var/www/ --domain

It gave me a fully working certificate with the CN = Great. This makes logical sense to me and to those few actually looking at the certificate through a Web browser.

We do have a vhost based subdomain on this server, which can be considered as somewhat ‘secondary’ in functionality and also is of less interest to the main public. (Cause everyone goes for the ‘www’ site.) The ‘secondary’ subdomain is then called ‘’.

So I executed:

letsencrypt --expand certonly --webroot --webroot-path /var/www/ --domain --webroot-path /var/www/ --domain

I realize that I have one single shared certificate, valid for both and This is absolutely fine with me.

What surprised me, and what has actually surprised a few visitors to our Web server (they looked at the cert !?!?! ) is that now the Common Name of the cert is set to CN = This raised a few eyebrows to a few visitors and I’ve had to explain that it’s correct.

The vast majority of our visitors will visit Only those who have the required login will make any practical use of even though anyone in the world may visit the ‘login page’.

It would therefore look more logical to anyone actually inspecting the certificate if the CN was set to and not to

I noticed that in the file /etc/letsencrypt/renewal/ the order was:

[[webroot_map]] = /var/www/ = /var/www/

so with an editor I switched the order to become:

[[webroot_map]] = /var/www/ = /var/www/

Then I forced a renewal of the certificate and reloaded apache.

But it seems to me that the “unwanted” order is kept as it was and that the CN remains ‘’.

I realize that technically it doesn’t make any difference, but it does make a difference to a human being looking at the certificate through the browser.


  1. Is this working as designed?
  2. Has any thought been spent on this at all or is it considered as absolutely irrelevant?
  3. Is there any way to bump the certificate to have the CN we’d want? (Except from “starting all over”.)


A change introduced in version 0.5.0 caused the client to accidentally scramble the domain list. Before that, the first domain passed via --domain would end up being the Common Name.

There’s a fix for this which will probably be included in 0.6.0. You can either wait for that release, try to downgrade to a 0.4.* release (you’d probably have to do a developer installation and use the v0.4.2 git tag), or generate your own CSR with the correct Common Name and use it via --csr.

Issue and PR with the fix for your reference:

Change base domain name for Lets Encrypt SSL certificate
Wrong CN using multiple SAN
Certificate wrong subject
Common name SAN not first domain in list
Certificate wrong subject

Thanks for the explanation @pfg , that makes a lot of sense.

Having this information, I can calmly sit back and wait for a future release of V0.6.0 or similar. Most importantly, I can explain the (non-critical) situation on my side. :slight_smile:


I am having the exact same problem! Glad that I know you’re aware of this and are fixing for the next release. Thank you.


Does this change also apply to when certificates are generated using a template as described here? (Note that I have used multiple domains in the template, despite what the author suggests it actually works).

Currently the common name appears to be assigned at random, and will sometimes change when the certificate is expanded. Just wondering if this will be fixed in the next release so that the common name is the first name listed in the template?

Webroot using CSR

Yes, this bug affects all usage types of the client other than manually specifying a CSR via --csr. A fix is scheduled for 0.6.0.


Just an update for anyone else with this problem who stumbles upon this thread, as @pfg suggests, downgrading to version 0.4.2 will solve the issue until 0.6.0 is released. To downgrade I simply uploaded and unzipped the .zip file found here, replacing the files from version 0.5.0

However, using the letsencrypt-auto command will automatically update your lets encrypt files to 0.5.0. To get around this I simply added --no-self-upgrade to the end of the command to generate the certificate.

Hope this may be of help to anyone else with this problem.



This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.