Changing the list of domains of a certificate


#1

Say I have a certificate with a main domain name example.com and several additional domain names. This certificate is installed under /etc/letsencrypt/archive/example.com. Now I want to obtain a new certificate with the same main domain name (example.com), but a different list of additional domain names. For extending the list of domain names, certbot has the --expand option, but what if I also want to remove additional domain names?


#2

For removal, as far as I am aware, you’d basically need to treat it as a different certificate lineage. Just request a new certificate with the domain list you want. If the first domain already has a directory in the letsencrypt area, you’ll find a new directory named something like example.com-0001. If you want to keep things clean and don’t intend to continue using the already-issued certificate, you can clean out all references in the /etc/letsencrypt directory structure. Make sure to make a backup if you do that.


#3

Thank you for this information. I think this is clear now.


#4

This will be different in a forthcoming release of Certbot. @erica has implemented some new certificate management functionality which provides a way to remove names as well as adding them. We’ll also update the documentation to reflect the new features.


#5

Great! When will this new version of Certbot be released?


#6

Probably later this week.


#7

Great! Then I think I will wait with my certificate change until this new release.

I guess, certbot-auto will automatically update to this newer version. Is this correct?


#8

Have these changes to Certbot been made in the meantime? Apparently, the section “Re-running Certbot” of the Certbot User Guide does not mention any way to remove domain names.


#9

Hi @jeltsch, the new features did go in and so if you’re using certbot-auto you probably already have them. I will check about the documentation updates.

The new functionality is based on --cert-name as a way to refer to a specific existing certificate, removing ambiguity about whether your a list of domains is meant to specify a certificate or to update a certificate.


#10

I learned that a documentation update is in progress at

Maybe looking at that will explain the details that you need even before it appears in the regular public documentation.


#11

Yes, this helped. I was able to renew my certificate with a different set of domains. Thanks a lot.


#12

Great, I’m glad that worked! This should be visible in the regular documentation for everybody soon.


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.