Subject Alternative Name missing in certificate and key files

I was succesffully asking and implementing letsencrypt certificate for my tomcat instance for
The first request was for domain name only that correspond to what it is used externally to acces our web site externally.
The Fully Qualified Domain Name of the server is however different. It is constrained by our virtual host provider.
This is why we requested a certificate a second time by asking it for two domain name (-d -d Everything went well. The command executed sucessfully. But when I explore the certificate or the key files I can see only one Subject Alternate Name (, the one that correspond to the subject and the first one that was asking for. Is it a bug ? or maybe I did something wrong ?

Extract from openssl x509 -text -in fullchain.pem
Version: 3 (0x2)
Serial Number:
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X1
Not Before: Mar 12 09:46:00 2016 GMT
Not After : Jun 10 09:46:00 2016 GMT

X509v3 Subject Alternative Name:
X509v3 Certificate Policies:
User Notice:
Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at

Your most recent certificate has both:

I’m not sure what happened with your original certificate.

I just created a new series for an another server and everything went well. Both domains are registered correctly in my keystore. I added the two domains in the first request.
#7: ObjectId: Criticality=false
SubjectAlternativeName [

I suspect Letsencrypt store old content into files in /etc/letsencrypt/{domain-name}. I saw the file last update date was correct. Is it a way to solve this ? Can I delete the files generated and request again ?

Did you reload your webserver configuration after issuing the second certificate?

Yes the server was restarted and is running but with the content of the first certificate delivered, I mean without the two SAN.

What path are you using in your server configuration? Earlier you specified I suspect Letsencrypt store old content into files in /etc/letsencrypt/{domain-name}. but this can’t be true: it’s either /etc/letsencrypt/live/{domain-name} (which contains symbolic links which should be updated at renewal) ór /etc/letsencrypt/archive/{domain-name}. (Which contains the actual certificates, but where the file names aren’t updated at renewal, just the new cert added…)

Sorry it was an error by typing /etc/letsencrypt/live/{domain-name} was the correct location.

You should check if the symlink links to the correct version of your certificate in the /archive/ directory.

I found the correct files under …/archive/ and cert2.pem chain2.pem fullchain2.pem privkey2.pem. All the files are containing the two domains. So you are right, the symbolink link was broken or incorrect for some reason. I don’t know why.