Hi,
i was under the impression, that the first domain in an order always ends up as the subject / common name in the issued certificate.
But it seems when a renewal is requested while the DNS Authentication is still valid, then the first domain in the (ordered) alternative names is used instead. (This is just a guess though)
This can be seen with the following certificates, which all were requested with the same domains in the same order, with regenwald.org as the first domain.
ECDSA Cert Correct Common Name (= regenwald.org)
https://crt.sh/?id=2557097650
ECDSA Cert Wrong Common Name (= *.hutanhujan.org)
https://crt.sh/?id=2561311856
RSA Cert Correct Common Name (= regenwald.org)
https://crt.sh/?id=2544778698
RSA Wrong Common Name (= *.hutanhujan.org)
Not yet listed on crt.sh
Fingerprint SHA256: 4eb2f821834eac676f0f0300fccac9bb39c4d1d333d49476f1b9725de1cef226
Any assistance would be appreciated
Regards
Tim