diff --git a/node/acme/manager.go b/node/acme/manager.go
index 6312a9f0f90cdc5b2390b36688dbd30de301b219..a22a84179dc308d9bf19b0aa25d853bb743cc4b2 100644
--- a/node/acme/manager.go
+++ b/node/acme/manager.go
@@ -13,6 +13,7 @@ import (
 	"log"
 	"math/big"
 	mrand "math/rand"
+	"strings"
 	"sync"
 	"time"
 
@@ -31,9 +32,17 @@ var (
 )
 
 type Cert struct {
-	Names []string
-	Priv  []byte
-	Pub   [][]byte
+	Priv []byte
+	Pub  [][]byte
+}
+
+func (c *Cert) Names() (names []string) {
+	if cert, err := x509.ParseCertificate(c.Pub[0]); err == nil {
+		for _, dn := range cert.DNSNames {
+			names = append(names, strings.TrimPrefix(dn, "DNS:"))
+		}
+	}
+	return
 }
 
 func (c *Cert) TLSCertificate() (*tls.Certificate, error) {
@@ -140,8 +149,8 @@ func (m *Manager) shouldRenew() (bool, string) {
 	defer m.mx.RUnlock()
 	if time.Now().After(m.renewalDeadline) {
 		return true, fmt.Sprintf("met renewal deadline %s", m.renewalDeadline.Format(time.Stamp))
-	} else if !listsEqual(m.cert.Names, m.names) {
-		return true, fmt.Sprintf("name list changed (actual: %v, desired: %v)", m.cert.Names, m.names)
+	} else if names := m.cert.Names(); !listsEqual(names, m.names) {
+		return true, fmt.Sprintf("name list changed (actual: %v, desired: %v)", names, m.names)
 	}
 	return false, ""
 }
@@ -287,9 +296,8 @@ func makeSelfSignedCert(names []string) (*Cert, error) {
 	}
 
 	return &Cert{
-		Names: names,
-		Pub:   [][]byte{derBytes},
-		Priv:  keyBytes,
+		Pub:  [][]byte{derBytes},
+		Priv: keyBytes,
 	}, nil
 }