diff --git a/tigervnc.changes b/tigervnc.changes
index 292699d..c449f33 100644
--- a/tigervnc.changes
+++ b/tigervnc.changes
@@ -1,3 +1,31 @@
+-------------------------------------------------------------------
+Tue Mar 26 08:22:53 UTC 2019 - Yifan Jiang <yfjiang@suse.com>
+
+- Update with-vnc-key.sh to use only hostname for CN.
+
+  The gnutls introduces gnutls_x509_crt_check_hostname2 in
+  gnutls/lib/x509/hostname-verify.c#L159 to check if the given
+  certificate's subject matches the given hostname.
+
+  The function is used by the recent version of libvncclient which
+  will fail to verify the certification if there is a mismatching
+  between the connected hostname and the cert issuer's common name.
+
+  https://github.com/LibVNC/libvncserver/commit/cc69ee9
+
+  So the previous way to generate the vnc server's cert brings a
+  complicated CN, making the client using libvncclient
+  (e.g. vinagre, remmina) hard to adapt the hostname check. It is
+  better to populate the hostname as the common name without extra
+  strings.
+
+-------------------------------------------------------------------
+Thu Mar 21 09:16:51 UTC 2019 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Change Requires(post): firewall-macros to BuildRequires: the
+  macros are expanded at build time and not needed at all at
+  runtime.
+
 -------------------------------------------------------------------
 Thu Feb  7 12:34:03 UTC 2019 - Stephan Kulow <coolo@suse.com>
 
diff --git a/tigervnc.spec b/tigervnc.spec
index 0971d4b..3835d3c 100644
--- a/tigervnc.spec
+++ b/tigervnc.spec
@@ -153,7 +153,7 @@ Requires(post): /usr/sbin/groupadd
 Requires(post): /bin/awk
 Requires(post): systemd
 %if %{use_firewalld}
-Requires(post): firewall-macros
+BuildRequires:  firewall-macros
 %endif
 # Needed to generate certificates
 Requires:       windowmanager
diff --git a/with-vnc-key.sh b/with-vnc-key.sh
index 8da6bdc..39fc549 100644
--- a/with-vnc-key.sh
+++ b/with-vnc-key.sh
@@ -25,7 +25,7 @@ fi
     # If the cert file doesn't exist, generate it.
     if ! test -e $TLSCERT ; then
         # Keeping it short, because hostname could be long and max CN is 64 characters
-        CN="VNC service on `hostname`"
+        CN="`hostname`"
         CN=${CN:0:64}
         openssl req -new -x509 -extensions usr_cert -key $TLSKEY -out $TLSCERT -days 7305 -subj "/CN=$CN/"
         chown vnc:vnc $TLSCERT