Set default CN name for multiple certificate?

Hey folks,

i renew my certificate via certbot and now the CN-name points to instead of as it was before.

The certificate which i have requested contains further DNS-names.

For that i'm using a config-file which i parse to certbot.

authenticator = webroot
rsa-key-size = 4096
text = True
webroot-map = {",,,,":"/full/path/1", "":"/full/path/2", "":"/full/path/3"}

Is there an option where i can prefer a default CN-name for this certificate?

Hmm… seems it isn’t possible?

Can you confirm that you’re using the latest version of certbot? The client should preserve the common name during renewal since version 0.8.1. I assume you used the renew subcommand here.

If this is indeed the reason, upgrading won’t fix this, as the now incorrect common name will be preserved instead of the original one. You’d have to re-issue the certificate using the command you originally used to get the certificate, and after that the common name should stick.

Thanks @pfg for looking into this. :slight_smile:

My version is 0.9.3-r1 on Gentoo Linux.

Sure, i used renew mostly for automation but tried certonly right now too - same result:

certbot certonly --config /etc/letsencrypt/configs/

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1):
Cert not yet due for renewal

You have an existing certificate that contains exactly the same domains you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/

What would you like to do?

1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
http-01 challenge for
http-01 challenge for
http-01 challenge for
http-01 challenge for
http-01 challenge for
http-01 challenge for
Waiting for verification...
Cleaning up challenges

The content of is a post above.

Thanks. I did some further testing and can confirm that webroot-map, unlike domain (or -d), does not preserve the domain order for setting the CN. As a workaround, try adding the following line to your configuration and then re-issue with certonly:

domain =,,,,,,

The CN field should be set to the first domain in that list.

I’ve filed a bug for this:


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.