Thanks. So is there a recommended way to do this without that option being available? Or do I just delete everything for dev01.example.com from /etc/letsencrypt? I prefer to stick with the OS package manager for software so can’t update to a more recent version at present.
How is the current certificate lineage (i.e., the “cert name”) of your current certificate? You can look in the /etc/letsencrypt/live/ directory. Because if the name is the same as the domain you only want the cert for, you might try to use the --expand option. That option is used for adding domains and keeping the certificate name the same, but it might also be usefull for keeping the same name when removing domains from a certificate.
If the current “name” of the certificate is different than the hostname you want the certificate be for, I don’t know any direct option for that.
That said, the certificate name isn’t stored anywhere. It’s just the name of the directory in /etc/letsencrypt/archive/ and /etc/letsencrypt/live/ ánd the name of the renewal configuration file in /etc/letsencrypt/renewal/ in the form of cert-name.conf (e.g., /etc/letsencrypt/renewal/example.com.conf).
Therefore, if you know what you’re doing, you can for example, if your current certificate name is example.com, containing numerous hostnames, but you only want dev01.example.com, but with the certificate name example.com::
Thanks Osiris, this is really useful. This confirms by suspicions about the back end of Certbot, and will make my future management of certificates much easier. I do get the commands. The certificate is already named with what I want to reduce it to, so the --expand will work for me this time, but the rest has been very helpful in clarifying my understanding of what I’m working with for future stuff. Thanks for the help.
It literally didn’t agree that you were trying to “expand” the cert. Unfortunately for people who are trying to make a cert smaller, the --expand feature will literally only grow an existing cert by adding new names to it (if possible and an appropriate matching cert is found), but never agrees to remove any names from existing certs. If the requested cert would be smaller (even in the sense of missing a single name), it makes a new lineage with the -0001 that you saw.
And notably there is no corresponding --contract or --shrink, for various historical reasons. One reason that --cert-name was added is to provide a straightforward way of accomplishing these tasks.
You have an existing certificate that contains a portion of the domains you requested (ref: {0}){br}{br}It contains these names: {1}{br}{br}You requested these names for the new certificate: {2}.{br}{br}Do you want to expand and replace this existing certificate with the new certificate?
The --expand flag simply corresponds to saying "Yes" to this question. (There is also a --duplicate flag that forces the -0001 behavior.)
--force-renewal (previously known as --renew-by-default) means "get a new certificate, and replace an existing certificate if there's any existing certificate whose names are a subset of these names (including being the same as them)". If you omit a name in an existing certificate, --force-renewal will still make a totally new lineage (named -0001 if the first-specified name is the same as the name of an existing lineage).
For example, suppose you have a lineage called example.com that covers example.com, foo.example.com, bar.example.com.
Cases involving specifying the same 3 names:
-d example.com -d foo.example.com -d bar.example.com should ask you if you want to renew or not
--force-renewal -d example.com -d foo.example.com -d bar.example.com should renew
--duplicate -d example.com -d foo.example.com -d bar.example.com should make example.com-0001
Cases involving specifying the same 3 names plus additional names:
-d example.com -d foo.example.com -d bar.example.com -d baz.example.com should ask you if you want to expand or not
--duplicate -d example.com -d foo.example.com -d bar.example.com -d baz.example.com should make example.com-0001
Cases involving specifying only some of the existing names, with or without additional names:
-d example.com -d foo.example.com should make example.com-0001 (because you didn't mention bar.example.com; none of --expand, --duplicate, or --force-renewal should change this behavior)
-d example.com -d foo.example.com -d baz.example.com should make example.com-0001 (because you didn't mention bar.example.com; none of --expand, --duplicate, or --force-renewal should change this behavior)
So, if you want to specify a lineage to act on without mentioning every domain currently covered by it, or if you want to choose a specific lineage to act on when there are two lineages that cover the same names, or if you want to remove any domains from an existing lineage, you need --cert-name. --cert-name allows you to arbitrary reset the domain coverage of any existing lineage.
Is it me or does the bold+italic part of that sentence leave room for interpreting --force-renewal as not adding -0001 to the first FQDN if you only ask for a few (i.e.: subset) of the domains originally in the cert?
Besides that, great explanation of the options of certbot