@@ -881,6 +881,10 @@ def create_parser():
         '--reuse_key', action='store_true', default=False,
         help='Reuse private key if it was previously persisted.',
     )
+    io_group.add_argument(
+        '--allow_domain_changes', action='store_true', default=False,
+        help='Allow changes in the SANs of the certificate.'
+    )
 
     reg = parser.add_argument_group(
         'Registration', description='This client will automatically '
@@ -1171,7 +1175,7 @@ def pyopenssl_cert_or_req_san(cert):
     return crypto_util._pyopenssl_cert_or_req_san(cert)
 
 
-def valid_existing_cert(cert, vhosts, valid_min):
+def valid_existing_cert(cert, vhosts, valid_min, different_domains=False):
     """Is the existing cert data valid for enough time?
 
     >>> valid_existing_cert(None, [], 0)
@@ -1186,6 +1190,11 @@ def valid_existing_cert(cert, vhosts, valid_min):
     Traceback (most recent call last):
     ...
     Error: Backup and remove existing cert if you want to proceed
+    >>> valid_existing_cert(cert, [Vhost.decode('example.net')], 0, True)
+    False
+    >>> valid_existing_cert(cert, [Vhost.decode('example.net')], 60 * 60 + 1,
+    ...     True)
+    False
     >>> valid_existing_cert(cert, [], 0)
     Traceback (most recent call last):
     ...
@@ -1199,6 +1208,8 @@ def valid_existing_cert(cert, vhosts, valid_min):
         if detect_and_log_mismatch(
                 'SANs', set(sans), set(vhost.name for vhost in vhosts),
                 log_data=', '.join):
+            if different_domains:  # SANs changed, so renew
+                return False
             raise Error(
                 'Backup and remove existing cert if you want to proceed')
         return not renewal_necessary(cert, valid_min)
@@ -1384,7 +1395,8 @@ def main_with_exceptions(cli_args):
     check_plugins_persist_all(args.ioplugins)
 
     existing_data = load_existing_data(args.ioplugins)
-    if valid_existing_cert(existing_data.cert, args.vhosts, args.valid_min):
+    if valid_existing_cert(existing_data.cert, args.vhosts, args.valid_min,
+                           args.allow_domain_changes):
         logger.info('Certificates already exist and renewal is not '
                     'necessary, exiting with status code %d.', EXIT_NO_RENEWAL)
         return EXIT_NO_RENEWAL