Multiple domains but one CN

Notarobot · October 5, 2017, 4:51pm

Hello everyone,

I finally get a script to automatically renew my certificates for all my domains at once.
I use this line:
./letsencrypt-auto --renew-by-default --config myconfiguration.ini --redirect --hsts

My configuration ini file looks like this:

rsa-key-size = 4096
email = admin@domain.net
domains = domain1.fr,www.domain1.fr,domain2.com,www.domain2.com
text = True
renew-by-default = True
agree-tos = True

It works like a charm for now but the only problem is when I take a look at the certificates for each sites they all have the same CN: domain1.fr

I think maybe there is something I didn’t understood, can someone explain and/or help ?

My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version): Ubuntu 16.04 Server

My hosting provider, if applicable, is: Scaleway

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

rg305 · October 5, 2017, 5:06pm

There can only be one CN - usually the first one alphabetically.
All the names are actually found in the SAN.

Notarobot · October 5, 2017, 5:23pm

So instead of doing all in one script I should separate all the domains so everyone have it’s own CN ?

jared.m · October 5, 2017, 6:19pm

Why do you think you need every domain to have a CN? The CN field is deprecated and disregarded by most browsers in favor of the SubjectAlternateNames field. In fact, I think most major browsers throw an error now if you only have a CN defined.

Notarobot · October 5, 2017, 6:37pm

CN as in Common Name ? It identifies what domain you protect and I think it’s a pretty big deal in SSL certifcates isn’t it ?
If not can you explain why not please ?

jared.m · October 5, 2017, 6:57pm

As I said, that field is deprecated and disregarded. What matters is in the subject alternate name field.

rg305 · October 5, 2017, 8:07pm

Agreed, today if a cert only has a CN field (and no SAN) some systems will not accept the cert.

schoen · October 6, 2017, 3:03am

This is really correct, even if it’s contrary to what old documentation says. The place in the certificate where the subject names are supposed to be stored has moved into the subject alternative name extension (which is not part of the X.509 subject). All browsers have respected this for many years now.

Notarobot · October 6, 2017, 4:55am

Thanks for the answers I learned a lot !

system · November 5, 2017, 4:55am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.