hm.. not sure I understand. "auto" part in "autocert" is the whole point of it to request certs automatically during GetCertificate based on what a client sends in SNI.

what would you want to add to SANs manually?

Good question. We'd like to upload autocert-generated certificates to CDNs which terminate client SSL. A lot of CDNs (like AWS Cloudfront) allow uploading just one certificate per site, so we want to issue a certificate for example.com and add www.example.com as a SAN so the CDN can terminate SSL for both endpoints with a single certificate.

Right. It seems like what you want is to pre-generate a cert for all hosts what clients will be connecting to. By "pre-generate" I mean in the context of autocert, because the way it works is it requests a certificate issuance during an in-flight TLS request if no certs are already available.

Maybe something like dns-01 would be more suited for this use case? Check the discussion and my example in #23198 (comment).

We considered DNS-01, but we don't control DNS for our users' sites. HTTP-01 or TLS-ALPN challenges work because our users add a CNAME record pointing to a an endpoint we host (which is currently backed by autocert). We could ask them to add an additional CNAME record for _acme-challenge, but we'd rather not. Our autocert setup works for now because we don't have the single certificate limitation, but using CDNs throws a wrench in the works. It's okay if this isn't what autocert is meant for; we can use cert-manager because we operate kube clusters.

I am going to just fork autocert and change HostPolicy to this: type HostPolicy func(ctx context.Context, host string) (cn string, san []string, error)