acme/autocert: include the domain in the SAN of the CSR

More compliant with the spec and allows autocert to work
with Pebble (see letsencrypt/pebble#304).

Fixes golang/go#39746.

Change-Id: I0f41d5b41800d57eb53055cad248e50573c6070f
GitHub-Last-Rev: 777115c545a5266609fad6888d24d586ed4c2916
GitHub-Pull-Request: golang/crypto#143
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/294389
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Dmitri Shuralyov <dmitshur@golang.org>
diff --git a/acme/autocert/autocert.go b/acme/autocert/autocert.go
index 2ea9e23..c7fbc54 100644
--- a/acme/autocert/autocert.go
+++ b/acme/autocert/autocert.go
@@ -1133,11 +1133,11 @@
 	}, nil
 }
 
-// certRequest generates a CSR for the given common name cn and optional SANs.
-func certRequest(key crypto.Signer, cn string, ext []pkix.Extension, san ...string) ([]byte, error) {
+// certRequest generates a CSR for the given common name.
+func certRequest(key crypto.Signer, name string, ext []pkix.Extension) ([]byte, error) {
 	req := &x509.CertificateRequest{
-		Subject:         pkix.Name{CommonName: cn},
-		DNSNames:        san,
+		Subject:         pkix.Name{CommonName: name},
+		DNSNames:        []string{name},
 		ExtraExtensions: ext,
 	}
 	return x509.CreateCertificateRequest(rand.Reader, req, key)
diff --git a/acme/autocert/autocert_test.go b/acme/autocert/autocert_test.go
index f08d800..59f39c1 100644
--- a/acme/autocert/autocert_test.go
+++ b/acme/autocert/autocert_test.go
@@ -1097,7 +1097,7 @@
 		Id:    asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1},
 		Value: []byte("dummy"),
 	}
-	b, err := certRequest(key, "example.org", []pkix.Extension{ext}, "san.example.org")
+	b, err := certRequest(key, "example.org", []pkix.Extension{ext})
 	if err != nil {
 		t.Fatalf("certRequest: %v", err)
 	}