diff --git a/src/reverseproxy.js b/src/reverseproxy.js
index eb2226751..dcba6dd38 100644
--- a/src/reverseproxy.js
+++ b/src/reverseproxy.js
@@ -196,13 +196,12 @@ async function generateFallbackCertificate(domain) {
     const keyFilePath = path.join(os.tmpdir(), `${domain}-${crypto.randomBytes(4).readUInt32LE(0)}.key`);
 
     const opensslConf = safe.fs.readFileSync('/etc/ssl/openssl.cnf', 'utf8');
-    // SAN must contain all the domains since CN check is based on implementation if SAN is found. -checkhost also checks only SAN if present!
-    let opensslConfWithSan;
     const cn = domain;
 
     debug(`generateFallbackCertificate: domain=${domain} cn=${cn}`);
 
-    opensslConfWithSan = `${opensslConf}\n[SAN]\nsubjectAltName=DNS:${domain},DNS:*.${cn}\n`;
+    // SAN must contain all the domains since CN check is based on implementation if SAN is found. -checkhost also checks only SAN if present!
+    const opensslConfWithSan = `${opensslConf}\n[SAN]\nsubjectAltName=DNS:${domain},DNS:*.${cn}\n`;
     const configFile = path.join(os.tmpdir(), 'openssl-' + crypto.randomBytes(4).readUInt32LE(0) + '.conf');
     safe.fs.writeFileSync(configFile, opensslConfWithSan, 'utf8');
     // the days field is chosen to be less than 825 days per apple requirement (https://support.apple.com/en-us/HT210176)