Custom Domain Names and Auto-assigned TLS Certificates

Should the auto-assigned Let’s Encrypt TLS certificates include the custom domains as Subject Alt Names? If not, is uploading a custom TLS certificate the only method to support TLS on custom domains with HSTS enabled?

As an example, we have a project with multiple custom domains. The root domains each have HSTS enabled via strict-transport-security HTTP headers. However, when accessing our domains via HTTPS, the TLS certificates are reported as invalid.

As a work-around, we can generate custom certificates, but I can’t help but think I must be missing a step in the process as the auto-assigned TLS certificates would be mostly useless otherwise.

Yes, the auto-assigned Let’s Encrypt certificate should add custom domains as SANs, and you should be able to set the strict-transport-security header for them and still have them show as valid.

I would suggest opening a ticket in this case with support. It’s possible the process that requests the certificate was unable to generate it for one or more of your domains, hence why those are showing as invalid.