One certificate / multiple domains / domain order


#1

Hello all,

basically almost everything works pretty fine here - so thanks a lot for all your effort!

I am looking for how to set the order / dependencies of multiple domains in one certificate (my hosting-provider lets me upload one certificate only).

What I have:

domain.com
sub.domain.com

anotherdomain.com
sub.anotherdomain.com

yetanotherdomain.com
sub.yetanotherdomain.com

How I request certificates;

./letsencrypt-auto certonly -a manual --email my@email.com -d domain.com -d sub.domain.com -d anotherdomain.com -d sub.anotherdomain.com -d yetanotherdomain.com -d sub.yetanotherdomain.com

So far, uploading the resulting certificate to my hoster works fine, but:

When I look up the certificate details for yetanotherdomain.com it reveals sth like this:

Certificate
Subject domain.com
SAN domain.com yetanotherdomain.com

I’d like to avoid domain.com to appear here.

I have tried to do request different certs like

./letsencrypt-auto certonly -a manual --email my@email.com -d domain.com -d sub.domain.com

./letsencrypt-auto certonly -a manual --email my@email.com -d anotherdomain.com -d sub.anotherdomain.com

./letsencrypt-auto certonly -a manual --email my@email.com -d yetanotherdomain.com -d sub.yetanotherdomain.com

… but merging them into one file and upload it to the hoster did not work.

What am I doing wrong?


#2

Hello @gxnz,

You can’t, right now, when you issue your certificate, Let’s Encrypt will use the first domain specified in the command to fill the Subject (Common Name) in your certificate. Keep in mind that this could change, Common Name is deprecated and Let’s Encrypt could put there any other domain that you are using in your certificate or even just a random serial number.

So, now, the only thing that you could do is create a different cert for every subset of your domains as you did:

But if your hosting provider only allows to upload 1 cert, that won’t work as you already tested ;).
Sorry but you have no options.

Cheers,
sahsanu


#3

Thanks a lot for your quick reply, @sahsanu

This helps me; now I can quit searching for solutions that do not exist :slight_smile:


#4

This issue is being tracked at

You can feel free to add comments there. I don’t think the boulder developers have definitively decided yet whether to add this functionality or not.


#5

My thought is the only work around is to use separate cPanels for each domain which I’m tempted to do…


#6