Let's warn people more strongly about --allow-subset-of-names

[schoen]

Per #7922, sometimes people are still not realizing that --allow-subset-of-names is, as @alexzorin put it, "destructive" and potentially results in a gradual loss of certificate domain name coverage over time (which wouldn't be reversed by subsequent renewal attempts!). We can probably highlight this more prominently in both --help output and the documentation.

[bmw]

Another option here might be to deprecate it entirely. It in theory has some value, but I think it may do more harm than good.

[marcbertone]

Old issue, but I would like to explain a use case for this option.

Lets say we are hosting a site for our customer at site.apples.com. Since we are nice we also want to provide coverage on the "www" prefixed version of the domain. So we request a cert that covers site.apples.com and www.site.apples.com like so:

certbot certonly --noninteractive --webroot --webroot-path /my/web/root
     -d site.apples.com
     -d www.site.apples.com

The customer is then purchased by a competitor, so they need to "rebrand" as site.oranges.com. But of course, they dont want traffic to the old domain to fail, so we attempt to cover all potential domains with the following:

certbot certonly --allow-subset-of-names --noninteractive --webroot --webroot-path /my/web/root
     -d site.oranges.com
     -d www.site.oranges.com
     -d site.apples.com
     -d www.site.apples.com

The "--allow-subset-of-names" flag is extremely helpful for this use case, with one exception. The generated cert must include coverage for site.oranges.com, while all other domains are "nice to have". As things exist now, if we issue the cert using "--allow-subset-of-names" we will have to parse the issued cert to verify that our required domain was included.

What would make this feature even more useful (again for our use case, which may be unique) would be an "optional" domain flag (perhaps "-do") that could be used in conjunction with "--allow-subset-of-names". This would allow certbot to issue the certificate if all required domains passed their individual challenges, while ignoring any optional domains whose challenge failed.

certbot certonly --allow-subset-of-names --noninteractive --webroot --webroot-path /my/web/root
     -d site.oranges.com
     -do www.site.oranges.com
     -do site.apples.com
     -do www.site.apples.com

I should point out that our use of certbot does not rely solely on automatic renewal of certificates. If we detect that any given certificate is reaching its expiration date, we will request a new certificate via a scheduled job. That may avoid some of the concerns people have with this feature since we always have a fail-safe in place in case the renewal tanks for any reason.

[github-actions]

We've made a lot of changes to Certbot since this issue was opened. If you still have this issue with an up-to-date version of Certbot, can you please add a comment letting us know? This helps us to better see what issues are still affecting our users. If there is no activity in the next 30 days, this issue will be automatically closed.

[marcbertone]

My earlier comment still applies to our use case. We find allow-subset-of-names very useful for our purposes, and would have an even easier time if we could specify which domains are required for issuance and which are optional.

[github-actions]

We've made a lot of changes to Certbot since this issue was opened. If you still have this issue with an up-to-date version of Certbot, can you please add a comment letting us know? This helps us to better see what issues are still affecting our users. If there is no activity in the next 30 days, this issue will be automatically closed.