"SANs" and "Serial Number" issue

Hi Let’s Encrypt Community,
I’m running all my domains under an A2hosting SWIFT plan account that run on Apache 2.2.31 with CentOS6.

They activated for us Let’s Encrypt for all our domains and subdomains.

We have back a really strange behaviour,
Why aimfi.org, physiocenter.eu have it’ss own SAN’s and Serial Number while egulp.net, egulp.org, 507panama are all mixed together with same Serial Number ?

Using SSL Checker as “SANs” and “Serial Number” we have back:

• aimfi.org
  SANs: aimfi.org, mail.aimfi.org, www.aimfi.org
  Serial Number: 037a066ee741183eb8ddcac8fa338df977df

• physiocenter.eu
  SANs: mail.physiocenter.eu, physiocenter.eu, www.physiocenter.eu
  Serial Number: 0311a69ee1a29487c4a64cc1ed5f4093f8cc

While the egulp.net / egulp.org / 507panama.com give back a SANs all MIXED, and all with the SAME Serial Number !

SANs: 507panama.com, 507panama.egulp.net, clone.egulp.net, develop.egulp.net, egulp.egulp.net, egulp.net, egulp.org, mail.507panama.com, mail.egulp.net, mail.egulp.org, seblod.egulp.net, subscription.egulp.net, test.egulp.net, www.507panama.com, www.507panama.egulp.net, www.clone.egulp.net, www.develop.egulp.net, www.egulp.egulp.net, www.egulp.net, www.egulp.org, www.seblod.egulp.net, www.subscription.egulp.net, www.test.egulp.net

• 507panama.com
  Serial Number: 037419efe5b1890923f73f2b8f6f4e3aea37

• egulp.org
  Serial Number: 037419efe5b1890923f73f2b8f6f4e3aea37

• egulp.net
  Serial Number: 037419efe5b1890923f73f2b8f6f4e3aea37

Asking support to A2hosting they replied: “We have no control over the Let’s Encrypt process except to either enable it or disable it”.

Please, Is it normal ? Can you help us ?

Yes, this is normal, in the sense that it should work as expected in web browsers and other software.

The serial number is the same because it’s the same certificate. Specifically, this one: https://crt.sh/?id=79517985 One certificate has been requested and issued with the long list of names you mentioned (egulp.org and 507panama.com and so on), and it is used on each of the sites for those names.

Let’s Encrypt is willing to issue certificates with up to 100 such names in a certificate, to anyone who can demonstrate control over all the names they want on the certificate.

If it’s important to you for these names not to all appear together in one certificate - then you may need to find out if there’s a way to get A2hosting to handle this differently, or explore if there’s a different way to work things in any control panel or other tool provided to avoid them all being bundled into one certificate. Let’s Encrypt won’t be able to help you, everything on their end is working as intended.

Issuing a certificate, and what names to include in it, are entirely controlled by the client. The Let's Encrypt API servers are happy to issue whatever you like, rate limiting aside. If A2hosting's tools don't give their staff low level control of certificate specifics, that was A2hosting's design decision.

If "we" is "A2hosting support" and "the Let's Encrypt process" is "a control panel or something run by a different department of A2hosting", that statement is accurate.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.