Enable select primary domain of certificate


#1

I have create one certificate for several domains (3rd level domains) that are aliases.

I would like to select primary domainy for what is the certificate created…

i.e https://moodle.bohemia-chrudim.cz is my primary domain
but certificate is marked as issued for moodle.sportovniskola.bohemia-chrudim.cz

That’s only one of aliases:

Záznam DNS: moodle.sportovniskola.bohemia-chrudim.cz
Záznam DNS: moodle.zakladniskola.bohemia-chrudim.cz
Záznam DNS: moodle.hotelovaskola.bohemia-chrudim.cz
Záznam DNS: moodle.cestovniruch.bohemia-chrudim.cz
Záznam DNS: moodle.bohemia-chrudim.cz

But at autocreation I can only check of creation for this domain, but I cann’t select that my prefered domain is moodle.bohemia-chrudim.cz


#2

Looking at the code it seems like the client simply uses the first domain passed via -d domain.tld for the Common Name field in your certificate. Basically, passing moodle.bohemia-chrudim.cz as the first domain to the client should do the trick.

Note that the Common Name isn’t used for anything other than displaying purposes (and theoretically backwards compatibility with very old clients) if the SAN extension field exists in the certificate.


#3

Yes, trick to pass moodle.bohemia-chrudim.cz as first should be solution… but at letsencrypt-auto is no way to select order of selected domains.

In my case after executing of letsencrypt-auto I got list of 70 domains valid for certificate issue. Order names in this list where absolutelly random (for me)… order was not in same order as in apache configuration, but some randomized order. So moodle.sportovniskola.bohemia-chrudim.cz where really my first selected domain… and my prefered domain moodle.bohemia-chrudim.cz where at 4th place (I think)… I have no way, how move it to first place … for example by Page Up or Page Down


#4

Ah, I didn’t think about the apache plugin. My guess is that it shows the domains in the order it encounters them in apache config files. Since this is probably a rather uncommon use-case, I would switch to something like webroot mode and manually pass the domains in the order needed.


#5

For some reason, that’s not the effect (at least when I tested it a few weeks ago). When LE listed the domains in my vhost files, the alternate subdomains weren’t even be listed together with the main one, like www.example.com wouldn’t necessarily be listed with example.com, even if those were the only two in the same vhost file.


#6

I’d also encourage a possibility to set the CN in the menu. otherwise I’ll have to make a wrong certificate first and then make one by ‘hand’ again.
I ran into the rate limit before getting it right :frowning:


#7

I think this is belongs to tag “Client” not "Issuance Policy"
Since it’s an feature request for letsencrypt cleint.


#8

Was hitting the same issue when using the --apache plugin.
Doing:
./letsencrypt-auto --apache -d example.com -d atest.example.com -d prod.example.com -d static.example.com

The workaround was to use manual mode (bit more of the cut&paste, but was working:
https://tty1.net/blog/2015/using-letsencrypt-in-manual-mode_en.html