When performing domain validation, do not consider it
a failure if authorizations can not be obtained for a
strict subset of the requested domains. This may be
useful for allowing renewals for multiple domains to
succeed even if some domains no longer point at this
system. This option cannot be used with --csr.
In my own testing just now, I tried issuing a certificate for three domains:
- Two domains I control
- A domain I don’t (
When I ran with the above flag, it created a certificate with only the first two names, and omitted (2).
Perhaps you can try that.
But I noticed one notable way in which this doesn’t work: if any of the domains are forbidden by Let’s Encrypt policy (e.g. if you put
google.com as one of the domains), then the entire process will fail anyway.
Does that sound like a Certbot bug @schoen ? (On reflection it might be impossible to solve on the ACME client side, since the order is rejected as a whole and Boulder does not report which domain triggered the policy violation?)