I create a csr.der
openssl req -inform der -in example.com.csr.der -noout -text
Certificate Request:
Data:
Version: 0 (0x0)
Subject: C=US, ST=NewYork, L=NewYork, O=example.com, OU=example.com, CN=example.com/emailAddress=devnull@example.com/subjectAltName=DNS.1=example.com,DNS.2=www.example.com,DNS.3=test.example.com
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
...
Then submit it to LE
certbot-auto certonly \
--server https://acme-v01.api.letsencrypt.org/directory \
--email ssl@example.com \
--standalone --standalone-supported-challenges tls-sni-01 \
--break-my-certs --text --agree-tos --renew-by-default \
--staple-ocsp --must-staple --redirect --hsts --uir \
--csr=./example.com.csr.der --cert-path ./example.com.crt.pem
Success is reported
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
...
But in browser, and on cmd line, there’s no SAN data – only the primary
cd /etc/letsencrypt/live/example.com
openssl x509 -text -noout -in cert.pem | grep DNS
DNS:example.com
openssl x509 -text -noout -in cert.pem
...
Subject: CN=example.com
Subject Public Key Info:
...
X509v3 Subject Alternative Name:
DNS:example.com
X509v3 Certificate Policies:
...
The single cert passes SSLLABS’ server test with an A+, but only for the main domain.
What config have I missed to get SAN working properly?