From 9111faeb942129cf2831be3ae695b5e7b5bc5b06 Mon Sep 17 00:00:00 2001
From: Brad Warren <bmw@eff.org>
Date: Mon, 11 Apr 2016 09:44:29 -0700
Subject: [PATCH 1/2] don't lose domain ordering

---
 letsencrypt/client.py | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/letsencrypt/client.py b/letsencrypt/client.py
index 221879080..508117489 100644
--- a/letsencrypt/client.py
+++ b/letsencrypt/client.py
@@ -245,8 +245,9 @@ class Client(object):
                 domains,
                 self.config.allow_subset_of_names)
 
-        domains = [a.body.identifier.value.encode('ascii')
-                                          for a in authzr]
+        auth_domains = set(a.body.identifier.value.encode('ascii')
+                           for a in authzr)
+        domains = [d for d in domains if d in auth_domains]
 
         # Create CSR from names
         key = crypto_util.init_save_key(

From 9008adc1760e889093b618e133caaba0279a18d5 Mon Sep 17 00:00:00 2001
From: Brad Warren <bmw@eff.org>
Date: Tue, 12 Apr 2016 12:23:24 -0700
Subject: [PATCH 2/2] add test to prevent regressions

---
 letsencrypt/tests/client_test.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/letsencrypt/tests/client_test.py b/letsencrypt/tests/client_test.py
index cd6b11158..49fa5b17e 100644
--- a/letsencrypt/tests/client_test.py
+++ b/letsencrypt/tests/client_test.py
@@ -201,7 +201,8 @@ class ClientTest(unittest.TestCase):
 
         authzr = []
 
-        for domain in domains:
+        # domain ordering should not be affected by authorization order
+        for domain in reversed(domains):
             authzr.append(
                 mock.MagicMock(
                     body=mock.MagicMock(