We have a site which has three hostnames in the SAN field. The previous renewal (01-02-23) produced a certificate with:
Common Name: Subject: CN =wifi.lordwilliams.org and a SAN of DNS:lws-vm-adc-01.net.lordwilliams.org, DNS:lws-vm-adc-02.net.lordwilliams.org, DNS:wifi.lordwilliams.org
The automatic renewal on the 2nd of April gave:
Subject: CN = lws-vm-adc-01.net.lordwilliams.org
and a SAN of DNS:lws-vm-adc-01.net.lordwilliams.org, DNS:lws-vm-adc-02.net.lordwilliams.org, DNS:wifi.lordwilliams.org
We are auto-renewing with certbot 1.22.0 on Centos Stream 8, and no configuration has been changed on the box. I have checked the backups and the "renewal" file has not changed since the previous renewal.
I realize the CN shouldn't make any difference, but we are now seeing authentication issues on NPS from certain clients after the new certificate was installed.
Has something changed in how CN is chosen when there are multiple hostnames?