Correct way to completely remove issued certificate(s) for a domain

No effect?? certbot revoke --cert-path /etc/letsencrypt/live/MyDomain/fullchain.pem produced “Congratulations! You have successfully revoked the certificate that was located
at …”, but it is confuse, no “deletion”, all is there when I check again by certbot certificates.

I need a real “delete”, to purge old certificates that are listed in certbot certificates… not see here an instruction and objective “step-by-step” how-to for it.

@ppKrauss

That’s correct. “certbot revoke” doesn’t delete anything.

(And you don’t need to revoke a certificate before deleting it, unless the private key has been compromised, or you no longer control the domain(s).)

certbot delete --cert-name MyDomain” can be used to delete a certificate’s files. (It doesn’t revoke it.)


Update: In newer versions of Certbot, “certbot revokecan optionally delete the certificate files as well.

2 Likes

Thanks @mnordhoff, certbot delete --cert-name MyDomain worked fine! And important to remember that “… don’t need to revoke a certificate before deleting”.

Well, let’s help to start a fast-guide.

2 Likes

One problem is that you also receive a reminder email when the certificate expires after you delete the certificate. How do I cancel the mail subscription for this certificate while deleting the certificate?

1 Like

The email contains a link to PERMANENTLY unsubscribe YOUR ADDRESS from alerts for ALL CERTIFICATES, past and future.

It's not possible to unsubscribe from alerts for only one certificate.

You'll only get one or two more emails, and they'll stop after the certificate has expired. Your best option is just to ignore them. :slightly_frowning_face:

Note that certbot delete --cert-name MyDomain leaves Apache and also certbot --apache broken. That is, it does not remove/edit the Apache files after delete, leaving the apache conf files to refer to non-existing files, so restarting apache or re-running certbot --apache will give you an error. Some manual is required to get things back on track.

It would be nice if certbot delete would take care of that too (certbot renew is smart enough to know which method was used to create the certs and use the same one to renew; would be nice if delete could too).

5 Likes

make a feature request

that’s what that section is for :wink:

it’s highly unlinkely that a feature requrest on the end of a chain will be picked up

a one liner!

sudo rm -rf /etc/letsencrypt/{live,renewal,archive}/{${DOMAIN},${DOMAIN}.conf}

Delete domains from a certificate
Is like to redo “Create a certificate” task… So, do it by subtracting from the domain list, the domain that you whant to delete. Example: supposing as in Scenario-1 that you have a certificate xxxx.org with domains {xxxx.org, aaaaa.com, aaaaa.org}, and suppose that you whant to delete aaaaa.com.

One command: certbot --cert-name xxxx.org -d xxxx.org -d aaaaa.org

All those are great ideas and I am thankful that I found this discussion. I learned a lot!

Altering Apache configs would certainly make it slicker, but altering them after certbot delete would be easy with sed. I just used an editor to make the changes since I was working in there anyway. Plus Apache will remind you what’s wrong if you forget. Not everyone puts their configs in the same spot as it might expect it on Ubuntu, like what I’m using; FreeBSD.

Awesome that there is a delete switch now. Thanks to who contributed it. I used it and it worked. Super easy! I really appreciate your effort! Letsencrypt and certbot have made something that used to be painfully tedious and expensive a real breeze.

Yep, awesome to have a command for this now, thanks so much.

This is really bugging me too.

Does anyone know if it is still true if you revoke the cert before you delete the cert?

Yes, it's still true. Revocation has no effect on expiry e-mails.

1 Like

Thank you all for this thread. I had a server where the Apache crashed due to missing at that time domain(s), which certificates Letsencrypt tried to renew automatically. After reading the comments I have made an archive of the letsencrypt folder /etc/letsencrypt/, then disabled the domain(s) via Apache command “sudo a2dissite domain.ext.conf.conf”, and lastly used the command to remove the certificates from letsencrypt “sudo certbot delete”. Everything worked like charm, and Apache haven’t crashed afterwards.

thank you ,very helpful command **

sudo ./certbot-auto delete

** works great

1 Like

What about CSR for deleted certificates? Should we delete related files too or we can just leave them forever inside /ets/letsencript/csr?

Per

the CSRs there are not used at all. I will follow up in that thread.

yes this works amazingly well. I did make some small modifications as i use ubuntu:
sudo certbot delete

Actually, this is incorrect. Let's Encrypt will not send you expiration reminders about revoked certificates.

This thread has been going for a number of years now, and i think the original question is fully resolved. I'm going to close this one now, but everyone feel free to open a new one if you have more questions.