SANS in acme.json vs SANS in dumped certificate

[francescor]

I've just executed

docker run  -v $(pwd):/data ldez/traefik-certs-dumper:latest file --version v2  --source /data/acme-http.json  --dest /data/dump/acme-http

(traefik 2.10.7)

then if I inspect one of the dumped cert

openssl x509 -text -noout -in ./dump/acme-http/certs/servizi.example.com.crt

I see, as expected, my long list of SANS, but:

1. the Subject: CN does is not servizi.example.com used in the filename: well, no problem with that, but I'm just curious it is not a bug (or, worse for me, some issues with my acme-http.json ... we are having issue with it)

2. I was expecting that in the file acme-http.json the domain.main would be what I would find in Subject: CN once the certificate is dumped , and also the domain in domain.sans would be exactly the SANS in the certificat X509v3 Subject Alternative Name: and this is not true.

In details if in acme-http.json I have

        "domain": {
          "main": "servizi.example.com",
          "sans": [
            "servizi.example1.com",
            "servizi.example2.com",
            "servizi.example3.com",
            "servizi.example4.com"
          ]
        },

then in the output of openssl x509 -text -noout -in ./dump/acme-http/certs/servizi.example.com.crt I have

        Subject: CN = servizi.example99.com

X509v3 Subject Alternative Name: 
                DNS:servizi.example2.com, DNS:servizi.example3.com, DNS:servizi.example88.com

it is just me?

(many thanks for your notes in the internet about the issue with Traefik upgrade 2.8=> 2.9/10 and the LEGO_DISABLE_CNAME_SUPPORT=true .... we struggled a week till we've hit your feeds!)