diff --git a/renew-certs.yaml b/renew-certs.yaml
index 5d166af93c6df85b351046e8dbec31bd4ffbae3f..ae5252c845360673ef0db696919f3009042803e4 100644
--- a/renew-certs.yaml
+++ b/renew-certs.yaml
@@ -32,11 +32,16 @@
             - ns4
         file: '{{ playbook_dir }}/tasks/renew-cert.yaml'
       vars:
+        domains:
+          - autoconfig.shore.co.il
+          - myip.shore.co.il
+          - ns4.shore.co.il
+          - registry.shore.co.il
+          - shore.co.il
+          - www.shore.co.il
         handlers:
           - Restart Nginx on ns4
         host: ns4
-        subject_alt_name: |-
-          DNS:ns4.shore.co.il,DNS:autoconfig.shore.co.il,DNS:registry.shore.co.il,DNS:www.shore.co.il,DNS:shore.co.il,DNS:myip.shore.co.il
       tags:
         - ns4
 
@@ -47,11 +52,16 @@
             - host01
         file: '{{ playbook_dir }}/tasks/renew-cert.yaml'
       vars:
+        domains:
+          - code.shore.co.il
+          - git.shore.co.il
+          - lam.shore.co.il
+          - nextcloud.shore.co.il
+          - ns1.shore.co.il
+          - vouch.shore.co.il
         handlers:
           - Restart Nginx on host01
         host: host01
-        subject_alt_name: |-
-          DNS:ns1.shore.co.il,DNS:lam.shore.co.il,DNS:nextcloud.shore.co.il,DNS:git.shore.co.il,DNS:code.shore.co.il,DNS:vouch.shore.co.il
       tags:
         - host01
 
@@ -63,13 +73,15 @@
         file: '{{ playbook_dir }}/tasks/renew-cert.yaml'
       vars:
         delegate_host: host01
+        domains:
+          - imap.shore.co.il
+          - mta-sts.shore.co.il
+          - smtp.shore.co.il
         filename: mail
         handlers:
           - Reload Dovecot
           - Reload Exim
           - Restart Nginx on host01
         host: mail
-        subject_alt_name: |-
-            DNS:smtp.shore.co.il,DNS:imap.shore.co.il,DNS:mta-sts.shore.co.il
       tags:
         - smtp
diff --git a/tasks/renew-cert.yaml b/tasks/renew-cert.yaml
index 27e30950bdd438b8f88825636b60521174d55a83..29f331d2a176f7a7572695711d41e62234458b92 100644
--- a/tasks/renew-cert.yaml
+++ b/tasks/renew-cert.yaml
@@ -1,4 +1,10 @@
 ---
+- name: Validate assertions
+  assert:
+    that:
+      - domains is iterable
+      - host is string
+
 - name: Generate account key
   community.crypto.openssl_privatekey:
     mode: 0o0600
@@ -18,10 +24,12 @@
     #   https://acme-staging-v02.api.letsencrypt.org/directory
     acme_version: &acme_version 2
     contact:
-      - mailto:hostmaster@shore.co.il
+      - mailto:{{ email }}
     select_crypto_backend: &crypto_backend cryptography
     state: present
     terms_agreed: true
+  vars:
+    email: &email hostmaster@shore.co.il
   tags:
     - always
 
@@ -38,13 +46,13 @@
   community.crypto.openssl_csr:
     country_name: &country_name IL
     digest: &digest sha256
-    email_address: &email hostmaster@shore.co.il
+    email_address: *email
     locality_name: &locality_name Israel
     organization_name: &organization_name Shore technologies
     path: &csr_src '{{ host }}.csr'
     privatekey_path: *key_src
     state: present
-    subject_alt_name: '{{ subject_alt_name }}'
+    subject_alt_name: 'DNS:{{ domains|join(",DNS:") }}'
   register: acme_csr
 
 - name: Create {{ host }} challenge
@@ -122,7 +130,7 @@
         {{ item.mode }}
     owner: root
     group: root
-  notify: '{{ handlers }}'
+  notify: '{{ handlers|default([]) }}'
 
 - name: Generate Diffie-Hellman parameters on {{ host }}
   delegate_to: *delegate_to
@@ -132,6 +140,6 @@
     path: /var/ssl/dhparams
     size: 4096
     state: present
-  notify: '{{ handlers }}'
+  notify: '{{ handlers|default([]) }}'
   tags:
     - dhparams