Latest renewal changes certificate CN with certbot 1.22.0


We have a site which has three hostnames in the SAN field. The previous renewal (01-02-23) produced a certificate with:
Common Name: Subject: CN and a SAN of,,

The automatic renewal on the 2nd of April gave:
Subject: CN =
and a SAN of,,
We are auto-renewing with certbot 1.22.0 on Centos Stream 8, and no configuration has been changed on the box. I have checked the backups and the "renewal" file has not changed since the previous renewal.

I realize the CN shouldn't make any difference, but we are now seeing authentication issues on NPS from certain clients after the new certificate was installed.

Has something changed in how CN is chosen when there are multiple hostnames?

I do remember it change from first san in csr to first one in ABC sorted or visa versa, but can remember if it sa certbot side or LE side

but manually setting CN in CSR will solve it
not sure about certbot config


It was a change in Let's Encrypt side and reverted to the old way a few weeks ago.

So, any certs renewed since then should have the old CN name method. If you do a one-time force renew now you should get the fix.

This is a post from later in the link orangepizza provided