After updating to latest mailcow, the ACME renewal now ignores ADDTIONAL_SAN and tries to add more domains than listed there, which results in failed certificate renewal as the Let’s Encrypt limit of 100 additional domains is exceeded.
Luckily there were some unused domains on the mail server I disabled, which mailcow ACME then omitted.
But this is not a solution and with newly added domains this issue will occur again, so I need to find out why the ADDITIONAL_SAN field is currently ignored by mailcow.
The domains listed in ADDITIONAL_SAN in mailcow.conf are separated by a comma and no wildcards are used.