diff --git a/certbot/client.py b/certbot/client.py
index 60e37a787..6f41a3a0b 100644
--- a/certbot/client.py
+++ b/certbot/client.py
@@ -245,8 +245,9 @@ class Client(object):
                 domains,
                 self.config.allow_subset_of_names)
 
-        domains = [a.body.identifier.value.encode('ascii')
-                                          for a in authzr]
+        auth_domains = set(a.body.identifier.value.encode('ascii')
+                           for a in authzr)
+        domains = [d for d in domains if d in auth_domains]
 
         # Create CSR from names
         key = crypto_util.init_save_key(
diff --git a/certbot/tests/client_test.py b/certbot/tests/client_test.py
index a41301148..8ceefe8ae 100644
--- a/certbot/tests/client_test.py
+++ b/certbot/tests/client_test.py
@@ -201,7 +201,8 @@ class ClientTest(unittest.TestCase):
 
         authzr = []
 
-        for domain in domains:
+        # domain ordering should not be affected by authorization order
+        for domain in reversed(domains):
             authzr.append(
                 mock.MagicMock(
                     body=mock.MagicMock(