Wrong CN using multiple SAN


#1

Hi there,

I’ve deployed a Linux Nginx-based server on which I request my certificates from Let’s Encrypt (certonly). I also wrote a script for monthly renewals. So far, everything works well.
My requests are based on a config file (using --config option) in which I specified all my domains:

domains = domain1.de, domain2.de, domain3.net, domain4.net

Therefore, I get a certificate with a SAN in it for each one of my domains which is great.

But here comes the problem: The CN is not the first declared domain as it should be! Instead and for any appearant reason, it is domain3.net.
I host my company’s website and I have a reverse proxy for some clients so yes, it is important to me because even if it is perfectly working, I’d like to show my company’s domain (domain1.de) as the CN and not one of my client’s one (domain3.net) on the browsers.

I tried to reorder the line, remove domains and asking brand new certificates then reinsterted them, I even tried to reorder the renewal conf (/etc/letsencrypt/renewal/domain1.de.conf) in which they are not ordered as in the config file by the way…

Anyone had similar problems? Thanks for any kind of help!


#2

This is a known bug, refer to this post for more details:


#3

Thanks for your quick answer!
So if I understand well, I have to either downgrade to 0.4.* or wait for 0.6.0 but in all cases, 0.5.0 is responsible for this error? I precise that I never used the --expand flag and that all of my requests are done after flushing existing certificates or are simple renewals, I never tried to add domains on the fly.
I’m not a native english speaker so I’d like to be sure of what I read! :sweat_smile:


#4

That’s correct. --expand isn’t necessary to trigger this bug - any certificate generated by the client has this issue.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.