Correct way to completely remove issued certificate(s) for a domain


#1

Hi,

I understand that I can revoke a certificate or I can wait for its expiration. But it does not remove related files from /etc/letsencrypt.

What if I have an issued certificate(s) for a domain and I know that I don’t need it anymore - what is the correct way to completely remove it? I would like to keep /etc/letsencrypt clean as much as possible.

My first idea was:

  1. revoke it
  2. delete related files from /etc/letsencrypt

But it looks to me that the design is that I should not manually edit/remove files in /etc/letsencrypt.

What do you suggest? Or am I supposed to keep files in /etc/letsencrypt forever?

Thank you!


Remove domain not required from cert
#2

I’m honestly not sure about the files but why revoke it? Revocation implies you’ve lost control of your private key(s). You could just allow it to expire.


#3

Hi,

thank you for your reply, your are right, expiration is probably better way regarding Let’s Encrypt end.

Anyway I’m mostly interest in what I’m supposed to do with files in /etc/letsencrypt.

Scenario example - the domain no more exists.

Thank you


#4

If you no longer need them - and aren’t going to need them in the future, I don’t see any reason why you shouldn’t simply delete them.


#5

Hi,

thank you for reply. Yes, it makes sense to me. But please note that it is not about deleting 1 file or 1 directory, you need to go at least to

/etc/letsencrypt/archives
/etc/letsencrypt/live
/etc/letsencrypt/renewal

Also if you are automatizing it then you need to make sure that new version of Let’s Encrypt client did not changed the structure in /etc/letsencrypt.

So to support full CRUD I’m thinking if it would be a reasonable feature request to request addition of delete action (for a domain parameter).

What do you think? Perhaps I’m missing something, that’s why I ask :smile:

Thank you


#6

Yes, a feature / verb to completely remove a domain from configuration is necessary.
Or, at least, a documentation how to do it manually in correct order.


#7

Hi, any progress on this?

By experiment, I found following manual solution:

  • rm -rf /etc/letsencrypt/live/${DOMAIN}
  • rm /etc/letsencrypt/renewal/${DOMAIN}.conf

Until doing that, I was getting errors on renew for the dead domain.


#8

Hi,

we implemented in a way that we store certs forever so unfortunately I’m unable to provide more info in this.

Kind regards,
David


#9

The reason for deleting cert:
For example, I began developing new version of site at new.site.com
Then I need to issue cert for new.site.com
Then, when development is ending, I switch domain site.com to the directory of test.site.com
And I need to expand certificate new.site.com to site.com.
This is confused me that I have got root cert with the test name.
May be the best way to do that is to define filename for new.site.com’s certificate in command line, and set it to site.com


#10

I like the idea that we keep records of the certs we have generated - however I too have old certs I no longer wish to renew. I found that creating a new directory /etc/letsencrypt/renew_disabled and simply moving a domains’s renewal file from /etc/letsencrypt/renew into the new folder was enough for the certbot renew command not to action these domains.


#11

Not sure if there’s an officially supported way of doing this, but I wanted to add that in additional to the /live and /renewal directories, there’s also a copy of the cert in /archive.

find /etc/letsencrypt/ -name "*mydomain*"


#12

This worked for me, many thanks…

made a backup first though JIC,

sudo cp /etc/letsencrypt/ /etc/letsencrypt.backup -r

I deleted the ‘no longer needed domains’ in the three folders…

rm -rf /etc/letsencrypt/live/${DOMAIN}
rm -rf /etc/letsencrypt/renewal/${DOMAIN}.conf
rm -rf /etc/letsencrypt/archive/${DOMAIN}

#13

Type “certbot delete” and choose the certificate to delete from the list. It removes files from live, archive and renewal directories.

Should this issue be closed now that there is a command to do it?


#14

“certbot delete” is a good starting point, but it doesn’t remove the created apache vhost and settings.
So executing “service apache2 restart” will trigger a “AH00526: Syntax error”


#15

It would be great also if we could just do certbot delete {$DOMAIN} – having to select from a numbered list and then input the number is a little clunky.


#16

@JohnCC, you should already be able to do that with the --cert-name option. To find out the relevant cert name, you can run certbot certificates.


#17

Thank you, sorry I missed that. That helps a lot!


#18

hi,

thanks for the thread…I was wondering the same thing with a few certs that died off for me.

just to note, since I use certbot-auto on 1 of my servers, you can run this command using:

sudo ./certbot-auto delete

question I have now is - can I rename the .conf name is /archive, /live, & /renewal?


#19

@erica, is there a way to reach rename_lineage in the cert manager from the CLI?


#20

Rename has not yet launched, because we stalled on the complexity of renaming certs within the configuration files. Currently I would recommend deleting and recreating the certs with a new name.