acme-companion: I am not able to generate SAN certificates for multiple domains

I have three Docker containers - gitlab, nexus and sonarqube. I set env properties like this for them:

gitlab:

VIRTUAL_HOST=gitlab.domain.net
LETSENCRYPT_HOST=gitlab.domain.net

nexus:

VIRTUAL_HOST=nexus.domain.net
LETSENCRYPT_HOST=nexus.domain.net

sonar:

VIRTUAL_HOST=sonar.domain.net
LETSENCRYPT_HOST=sonar.domain.net

When it is set like this, all is good, I can access website of each respective service and it is protected.

The problem is that I wanted to upload some artifacts to nexus and I got this error while doing so:

Caused by: javax.net.ssl.SSLException: Certificate for <nexus.domain.net> 
doesn't match any of the subject alternative names: [gitlab.domain.net]

Well … it looks like I do not have that “SAN” thing enabled so I read in the README that I have to add “base” domain name to LETSENCRYPT_HOST for respective container in order to have it covered.

So I do it like this:

gitlab:

VIRTUAL_HOST=domain.net,gitlab.domain.net
LETSENCRYPT_HOST=domain.net,gitlab.domain.net

nexus:

VIRTUAL_HOST=domain.net,nexus.domain.net
LETSENCRYPT_HOST=domain.net,nexus.domain.net

sonar:

VIRTUAL_HOST=domain.net,sonar.domain.net
LETSENCRYPT_HOST=domain.net,sonar.domain.net

But the result of this is that I can not access first two services in browser (gitlab nor nexus) BUT I can access sonar. Looking into logs, all seems to be fine, both domain.net and service.domain.net are validated but it seems like sonar verification overwrote the first two.

How should I proceed?

What does that exception message even mean? Why it says something about gitlab service when I am operating upon nexus?

I have these dns records set:

A domain.net 1.2.3.4
A gitlab.domain.net 1.2.3.4
A mail.domain.net 1.2.3.4
A nexus.domain.net 1.2.3.4
A sonar.domain.net 1.2.3.4
MX domain.net mail.domain.net

I had also CN for *.domain.net but I deleted it so I enumerated services explicitly.