Latest renewal changes certificate CN with certbot 1.22.0

Hi,

We have a site which has three hostnames in the SAN field. The previous renewal (01-02-23) produced a certificate with:
Common Name: Subject: CN =wifi.lordwilliams.org and a SAN of DNS:lws-vm-adc-01.net.lordwilliams.org, DNS:lws-vm-adc-02.net.lordwilliams.org, DNS:wifi.lordwilliams.org

The automatic renewal on the 2nd of April gave:
Subject: CN = lws-vm-adc-01.net.lordwilliams.org
and a SAN of DNS:lws-vm-adc-01.net.lordwilliams.org, DNS:lws-vm-adc-02.net.lordwilliams.org, DNS:wifi.lordwilliams.org
We are auto-renewing with certbot 1.22.0 on Centos Stream 8, and no configuration has been changed on the box. I have checked the backups and the "renewal" file has not changed since the previous renewal.

I realize the CN shouldn't make any difference, but we are now seeing authentication issues on NPS from certain clients after the new certificate was installed.

Has something changed in how CN is chosen when there are multiple hostnames?

I do remember it change from first san in csr to first one in ABC sorted or visa versa, but can remember if it sa certbot side or LE side

but manually setting CN in CSR will solve it
not sure about certbot config

5 Likes

It was a change in Let's Encrypt side and reverted to the old way a few weeks ago.

So, any certs renewed since then should have the old CN name method. If you do a one-time force renew now you should get the fix.

This is a post from later in the link orangepizza provided

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.