How can I disable "Subject Alternative Name" from being included in Certbot Let's Encrypt certificates?

Altimus Prime

2/19/23, 1:01 PM

Using Certbot to install an R3 Let's Encrypt certificate on an nginx webserver causes all the other domains in the nginx configuration to be included under "Subject Alternative Name" on the certificate. This is undesirable for my use case.

I read the man page here and some other Stack Exchange posts here and here.

Regarding the use of alternative names, the man page says (and I don't fully understand):

-d DOMAIN, --domains DOMAIN, --domain DOMAIN Domain names to apply. For multiple domains you can use multiple -d flags or enter a comma separated list of domains as a parameter. The first domain provided will be the subject CN of the certificate, and all domains will be Subject Alternative Names on the certificate. The first domain will also be used in some software user interfaces and as the file paths for the certificate and related material unless otherwise specified or you already have a certificate with the same name. In the case of a name collision it will append a number like 0001 to the file path name. (default: Ask)

How can I specify or omit the Subject Alternative Names entirely when using Certbot to install a Let's Encrypt certificate? If Certbot can't, is there a different way while still using R3 Let's Encrypt certificates?

1262

0 + 0

ssl-certificate

lets-encrypt

certbot

John Hanley

2/19/23, 7:43 PM

Pay attention to Let's Encrypt certificate issuance quotas in case you need to create a lot of individual certificates. The main limits are Certificates per Registered Domain (50 per week) and a maximum of 300 New Orders per account per 3 hours. https://letsencrypt.org/docs/rate-limits/

iBug

2/20/23, 7:30 PM

Adding to @JohnHanley 's comment, ZeroSSL has no such rate limits - might be a good alternative to consider (in fact, it's the default CA for acme.sh since August).

John Hanley

2/20/23, 7:40 PM

@iBug - ZeroSSL is a nice service. However, you are limited to three SSL certificates per 90 days. You can upgrade to a paid account to remove that limitation.

iBug

2/20/23, 7:40 PM

@JohnHanley That limit does *not* apply when using ACME.

John Hanley

2/20/23, 7:45 PM

@iBug - thank you. I found a link that confirms your comment: https://zerossl.com/documentation/acme/

Score:19

Server

Gerald Schneider

2/19/23, 1:30 PM

You don't really want to omit the Subject Alternative Names. If you omit the SAN no modern browser will accept your certificates as valid. If you don't want all domains in one certificate, just create them separately.

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How can I disable "Subject Alternative Name" from being included in Certbot Let's Encrypt certificates?

TH: ฉันจะปิดการใช้งาน "Subject Alternative Name" ไม่ให้รวมอยู่ในใบรับรอง Certbot Let's Encrypt ได้อย่างไร

RO: Cum pot dezactiva includerea „Nume alternativ al subiectului” în certificatele Certbot Let's Encrypt?

RU: Как я могу отключить «Альтернативное имя субъекта» от включения в сертификаты Certbot Let's Encrypt?

VI: Làm cách nào tôi có thể vô hiệu hóa "Tên thay thế chủ đề" được đưa vào chứng chỉ Certbot Let's Encrypt?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.