diff --git a/acme/autocert/autocert.go b/acme/autocert/autocert.go
index 2ea9e23174..c7fbc54c45 100644
--- a/acme/autocert/autocert.go
+++ b/acme/autocert/autocert.go
@@ -1133,11 +1133,11 @@ func (s *certState) tlscert() (*tls.Certificate, error) {
 	}, nil
 }
 
-// certRequest generates a CSR for the given common name cn and optional SANs.
-func certRequest(key crypto.Signer, cn string, ext []pkix.Extension, san ...string) ([]byte, error) {
+// certRequest generates a CSR for the given common name.
+func certRequest(key crypto.Signer, name string, ext []pkix.Extension) ([]byte, error) {
 	req := &x509.CertificateRequest{
-		Subject:         pkix.Name{CommonName: cn},
-		DNSNames:        san,
+		Subject:         pkix.Name{CommonName: name},
+		DNSNames:        []string{name},
 		ExtraExtensions: ext,
 	}
 	return x509.CreateCertificateRequest(rand.Reader, req, key)
diff --git a/acme/autocert/autocert_test.go b/acme/autocert/autocert_test.go
index f08d8008e8..59f39c1c16 100644
--- a/acme/autocert/autocert_test.go
+++ b/acme/autocert/autocert_test.go
@@ -1097,7 +1097,7 @@ func TestCertRequest(t *testing.T) {
 		Id:    asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1},
 		Value: []byte("dummy"),
 	}
-	b, err := certRequest(key, "example.org", []pkix.Extension{ext}, "san.example.org")
+	b, err := certRequest(key, "example.org", []pkix.Extension{ext})
 	if err != nil {
 		t.Fatalf("certRequest: %v", err)
 	}