It was time to renew several certificates, and I noticed that Lets Encrypt’ new certbot (as of 0.10 or 0.11) was issuing single certificates for zones grouped together, with the Alt Name set for the other DNS entries for zones sharing a single IP.

What does this mean in English? Think of an SNI SSL setup “virtual host” working like a party line (if you’re old enough to remember what those are). Everyone gets a different “ring”, and picks up when appropriate. Well, since they’re all on the same line, Lets Encrypt (LE) now sticks them all on the same certificate.

While this likely cleans a few things up on their end- having possibly only one certificate for the entire set of hosts- you may not always want that. In fact it’s quite unlikely that you do.

For instance: I run several personal, business, and other’s domains on this colocated machine. Several are “vanity” domains, and have no place being seen when someone clicks “View Certificate” on a business site. “saab.party” is cute (at least I think so), but doesn’t need to be there, just because it’s on the same machine.

A counterargument might be “Don’t use LE for business”, but for smaller businesses- it makes sense if you are using it only for web security, and not for purchasing or selling items. Many smaller business are also configured as VirtualHosts, rather than having their own machine, or even their own IP. It just isn’t part of their actual business- which can be hard to remember for those of us who live vicariously through the internet.

For now, I’m going to group my LE update and new requests separately for (www.?)domain.tld groups, the way it used to work.