Expand ignores new domains

[pfigel]

A number of users on the community forum reported that they were having difficulties while trying to expand existing certificates. I was able to reproduce on a clean Ubuntu 16.04 installation, using certbot 0.10.0. I tested standalone and apache, so it's probably not plugin-specific.

Commands to reproduce, including output:

root@debug:~# ./certbot-auto certonly --standalone -d 1.debug.le.pf.vc -d 2.debug.le.pf.vc --staging --register-unsafely-without-email
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for 1.debug.le.pf.vc
tls-sni-01 challenge for 2.debug.le.pf.vc
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/1.debug.le.pf.vc/fullchain.pem. Your cert
   will expire on 2017-04-13. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot-auto again. To
   non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

root@debug:~# ./certbot-auto certonly --standalone -d 1.debug.le.pf.vc -d 2.debug.le.pf.vc -d 3.debug.le.pf.vc --staging --register-unsafely-without-email
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/1.debug.le.pf.vc.conf)

It contains these names: 1.debug.le.pf.vc, 2.debug.le.pf.vc

You requested these names for the new certificate: 1.debug.le.pf.vc,
2.debug.le.pf.vc, 3.debug.le.pf.vc.

Do you want to expand and replace this existing certificate with the new
certificate?
-------------------------------------------------------------------------------
(E)xpand/(C)ancel: e
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for 1.debug.le.pf.vc
tls-sni-01 challenge for 2.debug.le.pf.vc
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0001_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0001_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/1.debug.le.pf.vc/fullchain.pem. Your cert
   will expire on 2017-04-13. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot-auto again. To
   non-interactively renew *all* of your certificates, run
   "certbot-auto renew"

root@debug:~# openssl x509 -text -noout -in /etc/letsencrypt/live/1.debug.le.pf.vc/cert.pem | grep DNS
                DNS:1.debug.le.pf.vc, DNS:2.debug.le.pf.vc

Original reports:
https://community.letsencrypt.org/t/expands-not-working-on-pre-existing-cert-requests/25605?u=pfg
https://community.letsencrypt.org/t/workaround-for-5-domain-limit/25651?u=pfg

[bmw]

Thanks for the bug report @PatF. We hope to have this fixed today.

[Rikudouu]

I am still having this exact issue on Ubuntu 17.04 with certbot 0.17.0. All looks well in the certbot log until I try the subdomain in a web browser, in which case I get a name mismatch.

[ohemorange]

@BadassOverlord, this precise bug was closed, so sounds like it's probably a different problem with similar effects. I'd recommend posting about this on the community forum, including all the information that the "New Topic" page recommends to get help debugging the issue.