I've purchased a 1 year SSL subscription (appeared to be Let'sEncrypt based) from an ecommerce service provider, for my domain www.studiotech.co.il , and got this DNS SAN list in my certificate with random names that have nothing to do with my website, including even some of my competitors:
Asked the service provider who sold me this, their response was: "there's no problem with your SSL - it works fine, it's something that may happen but there's nothing to worry about" and "it's doesn't affects anything". So this is why I ask here.
It can be "normal" for a service provider to combine domain names onto one single certificate.
Well that depends on what you are referring to when you say "it".
To me, it is very suspect to charge anyone for a free service.
Well, I mean one you should be allowed to enable yourself for free.
If they do anything "for you", they are allowed to charge you for that service.
(IMHO) If they don't allow you to do this yourself (for free), then you should probably look for another provider that does. No one should have to pay an annual fee for setting up a FREE and self-renewing service.
You don't say how much you were charged, or whether this was part of a larger service or a separate paid item. It's certainly worth remembering that the actual Let's Encrypt service doesn't cost anything, but on the other hand it can make sense to pay somebody else to provide services you don't understand, even if it would be "free" to do it yourself if you learned how. Life is short.
The consequence of this list of names in the certificate is that for example a web browser can't be entirely sure whether it's talking to one of those names or another. I suspect in your case all of these names are provided by the same service provider, on the same physical hardware and perhaps the same virtual machine too, and so in practice you are obliged to trust them to keep your users data secure from their other customers even if they issued you each separate certificates.
As a real world analogy I would say this is like if you had a kiosk or small store inside a mall, and of course the mall owners have keys for every kiosk, it would be technically possible for mall employees to enter your kiosk and take things from it, or give those keys to the operator of another kiosk or put your branding on somebody else's kiosk. This seems like a bad idea if you're a bank, or a medical clinic, or you sell firearms and so you have a duty to control all access, but it seems fine if you sell candy, or books, or clothing, you trust the mall owners to do their job properly as agreed -- in the worst case if things go wrong you can sue them for the money you lost.
I'm not sure this analogy is applicable to situations like these "shared SAN certificates". In your analogy, a kiosk owner getting a key would be equivalent of e.g. a VM owner getting access to the VM of a different VM to which it should not have access. But it's HIGHLY unlikely that VMs share a common certificate IMO. The situation with shared SAN certificates like these is probably limited to shared hosting servers. Which IMO would be more analog to multiple kiosks all owned by the single mall owner and having employees working at the kiosks which are also all employed by the mall owner: no separate businesses what so ever. Just one key for all kiosks and no employee getting access to the key.
Amazing, now they ask $100 a month for a "personal SSL" without this DNS list, and they didn't say anything about it before selling me this one. Also, they don't provide any options for using my own SSL.
I'd like to speak about it with someone from Let'sEncrypt, that service provider is basically selling a free community based product
As far as I remember from similar situations, the answer from Let's Encrypt was that it isn't agains the "rules". You're paying for a service from your provider in essence, which is allowed. Although charging $ 100 is bizar..
Hi, move your domain to Cloudflare (free) and proxy your DNS through them. This will give you free SSL for your domain (via a cloudflare managed certificate) regardless of where you actually host it. Then investigate alternative web hosts for your website.
I suspect they are suggesting that your website has to move to it's own server to have it's own certificate (which is more to do with how they have organized their services). $100 a month will get you lots and lots of alternative web hosting services - for instance I use AWS lightsail to host some of my own (Linux) servers for $3.50 per month.