tobychui
[BUG] no Subject Alternative Names in auto renew certificat
Describe the bug
After auto renew Cert with Let's encrypt, the new cert only contain the same Subject: CN and Subject Alternative Name, without alias info
For example with www.domain.com and alias.domain.com, the auto renew build new cert with only the domain.com
Expected behavior Auto renew build cert have to contains Subject: CN = domain.com and
X509v3 Subject Alternative Name: DNS:alias.domain.com, DNS:domain.com
Hi @jimmyGALLAND
As I recall from my PR reviews, @yeungalan didn't implement alias auto renew function into the ACME module in the first place (so this is more like a feature request than a bug). Though, I think it is not that hard to implement. But first of all, I guess I would want to know more about your setup regarding the alias hostnames.
So if I understand you correctly, what you means here is that:
- You originally using a certificate that contains multiple hostname (which includes alias hostname), but not a wildcard certificate like
*.domain.com - After auto renew, the alias hostname in your certificate is gone, only the primary hostname remains in the new certificate CN field
- Your alias hostname exists on your DNS entry and reachable during the first certificate issues till now (or at least till the auto renew happens)
Is that correct?
Yes, that's exactly it, the 3 points you list are correct. I think certificate items should be attached to the Generate Domain(s) entry in New Certificate page, but no the Matching Rule
As I recall from my PR reviews, @yeungalan didn't implement alias auto renew function into the ACME module in the first place (so this is more like a feature request than a bug).
I disagree with this: If you are able to request a certificate for multiple domains just fine and renewing silently strips the alternative names from the certificate, then cert renewal is not working correctly.
For now, an easy workaround is to request separate certificates for all alternative names.
