diff --git a/global/overlay/etc/puppet/modules/cdn/files/ca/configure-acme b/global/overlay/etc/puppet/modules/cdn/files/ca/configure-acme
new file mode 100644
index 0000000..b3377d7
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/cdn/files/ca/configure-acme
@@ -0,0 +1,17 @@
+#!/bin/bash
+
+# When initializing step-ca with the docker flag DOCKER_STEPCA_INIT_ACME
+# a basic ACME provisioner is enabled. This script runs commands to modify the
+# default configuration.
+
+# Enable forceCN if not set.
+# This is needed because certbot does not include a
+# Subject CN field in the CSR:
+# https://github.com/certbot/certbot/issues/9633#issuecomment-1484988078
+# ... and the Mosquitto MQTT server uses the Subject CN in ACL filters.
+#
+# Ideally Mosquitto would learn to look at the SAN field instead:
+# https://github.com/eclipse-mosquitto/mosquitto/issues/2511
+if [ "$(step ca provisioner list | jq -r '.[] | select (.name == "acme") | .forceCN')" = "null" ]; then
+    step ca provisioner update acme --force-cn --admin-subject=step --admin-provisioner=admin  --admin-password-file=/opt/step-ca/init/secrets/provisioner-password
+fi
diff --git a/global/overlay/etc/puppet/modules/cdn/manifests/ca.pp b/global/overlay/etc/puppet/modules/cdn/manifests/ca.pp
index 1fb6c94..b6d8aa7 100644
--- a/global/overlay/etc/puppet/modules/cdn/manifests/ca.pp
+++ b/global/overlay/etc/puppet/modules/cdn/manifests/ca.pp
@@ -59,6 +59,14 @@ class cdn::ca(
     content => file('cdn/ca/bootstrap-client'),
   }
 
+  file { '/opt/step-ca/init/scripts/configure-acme':
+    ensure  => file,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0755',
+    content => file('cdn/ca/configure-acme'),
+  }
+
   file { '/opt/step-ca/init/deb':
     ensure => directory,
     owner  => 'root',