diff --git a/webmin/edit_ssl.cgi b/webmin/edit_ssl.cgi
index 3466c3b50..9bc63d1c3 100755
--- a/webmin/edit_ssl.cgi
+++ b/webmin/edit_ssl.cgi
@@ -277,7 +277,9 @@ else {
 	my @doms = $config{'letsencrypt_doms'} ?
 			split(/\s+/, $config{'letsencrypt_doms'}) : ( $host );
 	print &ui_table_row($text{'ssl_letsdoms'},
-		&ui_textarea("dom", join("\n", @doms), 5, 40));
+		&ui_textarea("dom", join("\n", @doms), 5, 40)."<br>\n".
+		&ui_checkbox("subset", 1, $text{'ssl_subset'},
+			     $config{'letsencrypt_subset'}));
 
 	# Apache vhost or other path
 	my @opts;
diff --git a/webmin/lang/en b/webmin/lang/en
index 41a37e36c..16e6aa465 100644
--- a/webmin/lang/en
+++ b/webmin/lang/en
@@ -424,6 +424,7 @@ ssl_letserr2=Alternately, check the <a href='$1'>module configuration</a> page t
 ssl_letsdesc2=This page can be used to request a new certificate, which will overwrite any other currently have configured in Webmin. However, the Let's Encrypt service requires that your ownership of the certificate domain be validated by checking that this system hosts the website for the domain. This is done by placing a small temporary file in the website's document directory.
 ssl_letsheader=Options for new SSL certificate
 ssl_letsdoms=Hostnames for certificate
+ssl_subset=Skip unverifiable hostnames?
 ssl_letsmode=Let's Encrypt validation method
 ssl_letsmode0=Apache virtual host matching hostname
 ssl_letsmode1=Selected Apache virtual host
diff --git a/webmin/letsencrypt-lib.pl b/webmin/letsencrypt-lib.pl
index 88f279a95..2011b4212 100755
--- a/webmin/letsencrypt-lib.pl
+++ b/webmin/letsencrypt-lib.pl
@@ -58,14 +58,15 @@ return &software::missing_install_link(
 
 # request_letsencrypt_cert(domain|&domains, webroot, [email], [keysize],
 # 			   [request-mode], [use-staging], [account-email],
-# 			   [reuse-key], [server-url, server-key, server-hmac])
+# 			   [reuse-key], [server-url, server-key, server-hmac],
+# 			   [allow-subset])
 # Attempt to request a cert using a generated key with the Let's Encrypt client
 # command, and write it to the given path. Returns a status flag, and either
 # an error message or the paths to cert, key and chain files.
 sub request_letsencrypt_cert
 {
 my ($dom, $webroot, $email, $size, $mode, $staging, $account_email,
-    $key_type, $reuse_key, $server, $server_key, $server_hmac) = @_;
+    $key_type, $reuse_key, $server, $server_key, $server_hmac, $subset) = @_;
 my @doms = ref($dom) ? @$dom : ($dom);
 $email ||= "root\@$doms[0]";
 $mode ||= "web";
@@ -179,6 +180,7 @@ if ($letsencrypt_cmd) {
 	my $new_flags = "";
 	my $reuse_flags = "";
 	my $server_flags = "";
+	my $subset_flags = "";
 	$key_type ||= $config{'letsencrypt_algo'} || 'rsa';
 	if (&compare_version_numbers($cmd_ver, 1.11) < 0) {
 		$old_flags = " --manual-public-ip-logging-ok";
@@ -192,6 +194,9 @@ if ($letsencrypt_cmd) {
 	else {
 		$reuse_flags = " --no-reuse-key";
 		}
+	if ($subset) {
+		$subset_flags = " --allow-subset-of-names";
+		}
 	$reuse_flags = "" if ($reuse_key && $reuse_key == -1);
 	if ($server) {
 		$server_flags = " --server ".quotemeta($server);
@@ -227,6 +232,7 @@ if ($letsencrypt_cmd) {
 			$old_flags.
 			$server_flags.
 			$new_flags.
+			$subset_flags.
 			" 2>&1)");
 		&reset_environment();
 		}
@@ -245,6 +251,7 @@ if ($letsencrypt_cmd) {
 			$old_flags.
 			$server_flags.
 			$new_flags.
+			$subset_flags.
 			" 2>&1)");
 		&reset_environment();
 		}
@@ -260,6 +267,7 @@ if ($letsencrypt_cmd) {
 			$old_flags.
 			$server_flags.
 			$new_flags.
+			$subset_flags.
 			" 2>&1)");
 		&reset_environment();
 		}
diff --git a/webmin/letsencrypt.cgi b/webmin/letsencrypt.cgi
index d20f2f23c..f012e4425 100755
--- a/webmin/letsencrypt.cgi
+++ b/webmin/letsencrypt.cgi
@@ -76,7 +76,7 @@ else {
 
 if ($in{'save'}) {
 	# Just update renewal
-	&save_renewal_only(\@doms, $webroot, $mode);
+	&save_renewal_only(\@doms, $webroot, $mode, $size, $in{'subset'});
 	&redirect("edit_ssl.cgi");
 	}
 else {
@@ -88,7 +88,9 @@ else {
 					 'letsencrypt_doing',
 		    "<tt>".&html_escape(join(", ", @doms))."</tt>",
 		    "<tt>".&html_escape($webroot)."</tt>"),"<p>\n";
-	my ($ok, $cert, $key, $chain) = &request_letsencrypt_cert(\@doms, $webroot, undef, $size, $mode, $in{'staging'});
+	my ($ok, $cert, $key, $chain) = &request_letsencrypt_cert(
+		\@doms, $webroot, undef, $size, $mode, $in{'staging'},
+		undef, 0, undef, undef, undef, $in{'subset'});
 	if (!$ok) {
 		print &text('letsencrypt_failed', $cert),"<p>\n";
 		}
@@ -148,15 +150,16 @@ else {
 	&ui_print_footer("", $text{'index_return'});
 	}
 
-# save_renewal_only(&doms, webroot, mode)
+# save_renewal_only(&doms, webroot, mode, size, subset-mode)
 # Save for future renewals
 sub save_renewal_only
 {
-my ($doms, $webroot, $mode) = @_;
+my ($doms, $webroot, $mode, $size, $subset) = @_;
 $config{'letsencrypt_doms'} = join(" ", @$doms);
 $config{'letsencrypt_webroot'} = $webroot;
 $config{'letsencrypt_mode'} = $mode;
 $config{'letsencrypt_size'} = $size;
+$config{'letsencrypt_subset'} = $subset;
 &save_module_config();
 if (&foreign_check("webmincron")) {
 	my $job = &find_letsencrypt_cron_job();