When an attacker gets temporarily control of your domain (for example domain hijacking), he may issue certificate for your domain. The problem is, when you get back the control of your own domain you may not be able to revoke the certificate (assuming you do not have the key of the certificate, neither the account key), if the attacker was smart enough to add a “guard” domain name into the certificate which he owns.
Wouldn’t it be more appropriate to be able to revoke a certificate if you prove ownership of any identifier in the certificate instead of all as requires by the RFC8555?
The hosting provider puts all those identifiers into one certificate, he is the real owner of the certificate, not the tenants. Does any of the tenants has the capability to revoke certificate at all?
Edit: You are right, the tenant may change provider, so he could revoke the original certificate that way.