Confirm process for removing domain from certificate

Yes, the "operative one" is defined by which one your Apache configuration is currently pointing at, causing Apache to read that one from disk when it's started up. There is no other relevant definition of the operative one, and Certbot in some sense doesn't have a preference between the continued existence or use of one over the other.

If different virtual hosts in Apache are currently pointing to distinct certificates on disk, then there could be more than one "operative" certificate at a given time.

If you're concerned about deleting the wrong thing and breaking your setup, you can also make a backup, like

sudo rsync -a /etc/letsencrypt /tmp

Then you will have /tmp/letsencrypt containing copies of all of your certificates files (including the important symlink structure, thanks to -a) which could all be copied back if you delete something that turns out not to be what you meant to delete.


schoen, good stuff. I looked at my vhost-le-ssl.conf file. Here is a typical case (leaving out the DocumentRoot, ErrorLog, CustomLog lines that don't contribute to this discussion). NOTE THE REFERENCE TO THE -0001 CERTIFICATE:

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/
SSLCertificateChainFile /etc/letsencrypt/live/

All that was done by certbot (or God). I didn't make changes to the new cert name.

Bingo, now we know which one is the "operative" one. All the vhost blocks are the same except for the ServerName and Alias, of course.

Now I need to delete the original. Or do I? If I keep it because of the FUD factor, will I get into trouble because it includes the domain I don't want and will be transferring to another party? Or would the receiving party then have a problem getting the cert for their new domain?

If I do need to delete it, is it safe to just delete the original cert without performing that sequence of things in the "Safely deleting certificates" instructions? I'm hoping for a "it's safe" answer. :wink:

Continuing previous, about "is it safe"

I did this per Safely deleting certificates instructions:

sudo bash -c 'grep -R live/ /etc/{nginx,httpd,apache2}'

and got this:
grep: /etc/nginx: No such file or directory
grep: /etc/apache2: No such file or directory

That means I go to step 4:
sudo certbot delete --cert-name

Off I go to do that, substituting in my original cert name of course.

That seems... wrong.

Please try:
sudo bash -c 'grep -Ri live /etc/{nginx,httpd,apache2}'

This (inclusion of -0001) is also troublesome:


Did you literally type or did you use your own domain name here?


Complete step 4. Did certbot renew --dry-run and the listing of domains is perfect; the unwanted one is not present.

Case closed.

Lessons learned:
-- I know very little about certbot.
-- I know very little about certificates.
-- In the future, I could adopt my newly learned process:

  1. Add or delete vhost blocks in vhost-le-ssl.conf

  2. Use --expand to remove a domain (and or course to add one). Blasphemy, you say.

  3. If deleting a domain, do

sudo bash -c 'grep -R live/ /etc/{nginx,httpd,apache2}'

and verify

grep: /etc/nginx: No such file or directory
grep: /etc/apache2: No such file or directory

  1. Delete the unwanted domain using:
    certbot delete --cert-name
    where is the cert name before starting this process.

OMG! That produces a huge list! I don't know what to do with it! I don't dare post it here, it will clobber this thread. Is there something specific I should for? Or ignore the whole thing just being happy it found "some" stuff?

schoen, I substituted in my own domain name.

Tip: if you don't want Certbot to create new certificates when modifying an existing one, use --cert-name when adding/removing hostnames instead of --expand.


Look at the files being used...
Pay attention to their complete paths.
None should be using the path of the cert you intend to delete deleted.


What would the full command look like? Identical to --expand but with --cert-name replacing --expand?

If that's the case, I sure do wish I knew that many hours ago. :frowning:

OK, thanks. Time to brew some coffee.

1 Like

Actually easier than I thought. Did a search on and verified wherever it appeared, it was always, the cert I want. Always in /etc/httpd/conf.d/vhost-le-ssl.conf .

Unfortunately, Certbot doesn't have options like --add-domains and --remove-domains, so usually you'd just run sudo certbot .... with the commands you'd run the first time, but with a different set of domains for the -d option(s). As already stated in this thread, the --expand command is a little bit weird in the fact that it's supposed to be meant for adding domains, but there isn't an option like --contract, i.e., the opposite of --expand to remove domains.

All in all you can conclude the management of hostnames for existing certificates in Certbot is terrible and my advice is to use the exact same command as used previously but with a different set of -d option(s) and adding the --cert-name so you don't end up with multiple certificates.


Osiris, is the command exactly:

certbot --cert-name -d -d -d

Do I need to include the actual certificate name in the command? Or does the first domain in the list need to be the certificate name, i.e, in the example above

What happens if I no longer want If I leave it out, I assume the certificate gets a new name, right? With no longer in the list, is the new cert name the same as the next domain in the list after And in this case, would be the new cert name?

And used for adding or removing domains (by omission)? And both adding and removing in the same command?

You forgot to include the actual cert name.


Only if you don't specify --cert-name will a name be generated.
Now, will it be the first one specified in your request?
I think certbot will sort the names and then pick the first one.

Here certbot tries to "best fit" the request to an already existing certificate.

If you specify the cert name it will be replaced by whatever is stated.
Which can be an add, or a remove, or an add and remove; As it is in fact a replacement of that cert.


Consider this:
certbot --cert-name -d -d -d

  1. Is the syntax correct for showing the certificate name, or is a prefix needed?

  2. If I keep the cert-name provided ( in doing an add or removal from the certificate, is the update done preserving the cert name or is a new one created leaving me with need to properly delete the original?

I'm hoping this is my last question! Thanks!

1 Like

A#1: Yes, it will create a cert by that name.
But the cert name doesn't need to look like a domain... it could also be --cert-name coolguy
The cert name is just a "text label" used to locate and manage that cert.

A#2: Yes; The use of --cert-name will force the result to be stored under that label.
[which will overwrite the previous use (if any)]


rg305, perfect.

I will mark this as a solution within the next day or two, in case anyone else wishes to chime in.

(I pity the poor person who tries to review this topic from beginning to the final solution.)

I have to say it again, the gang on this thread has helped me so much, not to just solve the problem, but present stuff in a way I learned things I can take from this and never have this problem again. THANK YOU.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.