Can you confirm that you’re using the latest version of certbot? The client should preserve the common name during renewal since version 0.8.1. I assume you used the renew subcommand here.
If this is indeed the reason, upgrading won’t fix this, as the now incorrect common name will be preserved instead of the original one. You’d have to re-issue the certificate using the command you originally used to get the certificate, and after that the common name should stick.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Cert not yet due for renewal
You have an existing certificate that contains exactly the same domains you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/ambiente.one.conf)
What would you like to do?
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for dyndns.ambiente.one
http-01 challenge for ambiente.one
http-01 challenge for www.ambiente.one
http-01 challenge for mail.ambiente.one
http-01 challenge for imap.ambiente.one
http-01 challenge for smtp.ambiente.one
http-01 challenge for preview.ambiente.one
Waiting for verification...
Cleaning up challenges
Thanks. I did some further testing and can confirm that webroot-map, unlike domain (or -d), does not preserve the domain order for setting the CN. As a workaround, try adding the following line to your configuration and then re-issue with certonly:
