Correct way to completely remove issued certificate(s) for a domain


#18

hi,

thanks for the thread…I was wondering the same thing with a few certs that died off for me.

just to note, since I use certbot-auto on 1 of my servers, you can run this command using:

sudo ./certbot-auto delete

question I have now is - can I rename the .conf name is /archive, /live, & /renewal?


#19

@erica, is there a way to reach rename_lineage in the cert manager from the CLI?


#20

Rename has not yet launched, because we stalled on the complexity of renaming certs within the configuration files. Currently I would recommend deleting and recreating the certs with a new name.


#21

thanks for the reply. it’s not that big of a deal to me…my new cert is just named something like mysite-0001.conf…I can wait until rename is available.


#22

Thanks for solving my issue. You are great.


#23

No effect?? certbot revoke --cert-path /etc/letsencrypt/live/MyDomain/fullchain.pem produced “Congratulations! You have successfully revoked the certificate that was located
at …”, but it is confuse, no “deletion”, all is there when I check again by certbot certificates.

I need a real “delete”, to purge old certificates that are listed in certbot certificates… not see here an instruction and objective “step-by-step” how-to for it.


#24

@ppKrauss

That’s correct. “certbot revoke” doesn’t delete anything.

(And you don’t need to revoke a certificate before deleting it, unless the private key has been compromised, or you no longer control the domain(s).)

certbot delete --cert-name MyDomain” can be used to delete a certificate’s files. (It doesn’t revoke it.)


#25

Thanks @mnordhoff, certbot delete --cert-name MyDomain worked fine! And important to remember that “… don’t need to revoke a certificate before deleting”.

Well, let’s help to start a fast-guide.


#26

One problem is that you also receive a reminder email when the certificate expires after you delete the certificate. How do I cancel the mail subscription for this certificate while deleting the certificate?


#27

The email contains a link to PERMANENTLY unsubscribe YOUR ADDRESS from alerts for ALL CERTIFICATES, past and future.

It’s not possible to unsubscribe from alerts for only one certificate.

You’ll only get one or two more emails, and they’ll stop after the certificate has expired. Your best option is just to ignore them. :slightly_frowning_face:


#28

Note that certbot delete --cert-name MyDomain leaves Apache and also certbot --apache broken. That is, it does not remove/edit the Apache files after delete, leaving the apache conf files to refer to non-existing files, so restarting apache or re-running certbot --apache will give you an error. Some manual is required to get things back on track.

It would be nice if certbot delete would take care of that too (certbot renew is smart enough to know which method was used to create the certs and use the same one to renew; would be nice if delete could too).


#29

make a feature request

that’s what that section is for :wink:

it’s highly unlinkely that a feature requrest on the end of a chain will be picked up


#30

a one liner!

sudo rm -rf /etc/letsencrypt/{live,renewal,archive}/{${DOMAIN},${DOMAIN}.conf}

#31

Delete domains from a certificate
Is like to redo “Create a certificate” task… So, do it by subtracting from the domain list, the domain that you whant to delete. Example: supposing as in Scenario-1 that you have a certificate xxxx.org with domains {xxxx.org, aaaaa.com, aaaaa.org}, and suppose that you whant to delete aaaaa.com.

One command: certbot --cert-name xxxx.org -d xxxx.org -d aaaaa.org


#32

All those are great ideas and I am thankful that I found this discussion. I learned a lot!

Altering Apache configs would certainly make it slicker, but altering them after certbot delete would be easy with sed. I just used an editor to make the changes since I was working in there anyway. Plus Apache will remind you what’s wrong if you forget. Not everyone puts their configs in the same spot as it might expect it on Ubuntu, like what I’m using; FreeBSD.

Awesome that there is a delete switch now. Thanks to who contributed it. I used it and it worked. Super easy! I really appreciate your effort! Letsencrypt and certbot have made something that used to be painfully tedious and expensive a real breeze.


#33

Yep, awesome to have a command for this now, thanks so much.


#34

This is really bugging me too.

Does anyone know if it is still true if you revoke the cert before you delete the cert?


#35

Yes, it’s still true. Revocation has no effect on expiry e-mails.


#36

Thank you all for this thread. I had a server where the Apache crashed due to missing at that time domain(s), which certificates Letsencrypt tried to renew automatically. After reading the comments I have made an archive of the letsencrypt folder /etc/letsencrypt/, then disabled the domain(s) via Apache command “sudo a2dissite domain.ext.conf.conf”, and lastly used the command to remove the certificates from letsencrypt “sudo certbot delete”. Everything worked like charm, and Apache haven’t crashed afterwards.


#37

thank you ,very helpful command **

sudo ./certbot-auto delete

** works great