Certbot: Développer ignore les nouveaux domaines

Un certain nombre d'utilisateurs du forum communautaire ont signalé qu'ils rencontraient des difficultés en essayant d'étendre les certificats existants. J'ai pu reproduire sur une installation propre d'Ubuntu 16.04, en utilisant certbot 0.10.0. J'ai testé standalone et apache, donc ce n'est probablement pas spécifique au plugin.

Commandes à reproduire, y compris la sortie :

root<strong i="8">@debug</strong>:~# ./certbot-auto certonly --standalone -d 1.debug.le.pf.vc -d 2.debug.le.pf.vc --staging --register-unsafely-without-email
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for 1.debug.le.pf.vc
tls-sni-01 challenge for 2.debug.le.pf.vc
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/1.debug.le.pf.vc/fullchain.pem. Your cert
   will expire on 2017-04-13. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot-auto again. To
   non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

root<strong i="9">@debug</strong>:~# ./certbot-auto certonly --standalone -d 1.debug.le.pf.vc -d 2.debug.le.pf.vc -d 3.debug.le.pf.vc --staging --register-unsafely-without-email
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/1.debug.le.pf.vc.conf)

It contains these names: 1.debug.le.pf.vc, 2.debug.le.pf.vc

You requested these names for the new certificate: 1.debug.le.pf.vc,
2.debug.le.pf.vc, 3.debug.le.pf.vc.

Do you want to expand and replace this existing certificate with the new
certificate?
-------------------------------------------------------------------------------
(E)xpand/(C)ancel: e
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for 1.debug.le.pf.vc
tls-sni-01 challenge for 2.debug.le.pf.vc
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0001_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0001_csr-certbot.pem

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/1.debug.le.pf.vc/fullchain.pem. Your cert
   will expire on 2017-04-13. To obtain a new or tweaked version of
   this certificate in the future, simply run certbot-auto again. To
   non-interactively renew *all* of your certificates, run
   "certbot-auto renew"

root<strong i="10">@debug</strong>:~# openssl x509 -text -noout -in /etc/letsencrypt/live/1.debug.le.pf.vc/cert.pem | grep DNS
                DNS:1.debug.le.pf.vc, DNS:2.debug.le.pf.vc

Rapports originaux :
https://community.letsencrypt.org/t/expands-not-working-on-pre-existing-cert-requests/25605?u=pfg
https://community.letsencrypt.org/t/workaround-for-5-domain-limit/25651?u=pfg