Correct way to completely remove issued certificate(s) for a domain

DavidCDNsun · December 20, 2015, 4:59pm

Hi,

I understand that I can revoke a certificate or I can wait for its expiration. But it does not remove related files from /etc/letsencrypt.

What if I have an issued certificate(s) for a domain and I know that I don’t need it anymore - what is the correct way to completely remove it? I would like to keep /etc/letsencrypt clean as much as possible.

My first idea was:

revoke it
delete related files from /etc/letsencrypt

But it looks to me that the design is that I should not manually edit/remove files in /etc/letsencrypt.

What do you suggest? Or am I supposed to keep files in /etc/letsencrypt forever?

Thank you!

Fsantiago1979 · December 20, 2015, 6:12pm

I’m honestly not sure about the files but why revoke it? Revocation implies you’ve lost control of your private key(s). You could just allow it to expire.

DavidCDNsun · December 20, 2015, 6:40pm

Hi,

thank you for your reply, your are right, expiration is probably better way regarding Let’s Encrypt end.

Anyway I’m mostly interest in what I’m supposed to do with files in /etc/letsencrypt.

Scenario example - the domain no more exists.

Thank you

serverco · December 20, 2015, 7:50pm

If you no longer need them - and aren’t going to need them in the future, I don’t see any reason why you shouldn’t simply delete them.

DavidCDNsun · December 20, 2015, 8:46pm

Hi,

thank you for reply. Yes, it makes sense to me. But please note that it is not about deleting 1 file or 1 directory, you need to go at least to

/etc/letsencrypt/archives
/etc/letsencrypt/live
/etc/letsencrypt/renewal

Also if you are automatizing it then you need to make sure that new version of Let’s Encrypt client did not changed the structure in /etc/letsencrypt.

So to support full CRUD I’m thinking if it would be a reasonable feature request to request addition of delete action (for a domain parameter).

What do you think? Perhaps I’m missing something, that’s why I ask

Thank you

prisma · April 8, 2016, 10:21am

Yes, a feature / verb to completely remove a domain from configuration is necessary.
Or, at least, a documentation how to do it manually in correct order.

rbrich · June 3, 2016, 10:09am

Hi, any progress on this?

By experiment, I found following manual solution:

rm -rf /etc/letsencrypt/live/${DOMAIN}
rm /etc/letsencrypt/renewal/${DOMAIN}.conf

Until doing that, I was getting errors on renew for the dead domain.

DavidCDNsun · June 3, 2016, 10:28am

Hi,

we implemented in a way that we store certs forever so unfortunately I’m unable to provide more info in this.

Kind regards,
David

sanechca79 · June 10, 2016, 7:02am

The reason for deleting cert:
For example, I began developing new version of site at new.site.com
Then I need to issue cert for new.site.com
Then, when development is ending, I switch domain site.com to the directory of test.site.com
And I need to expand certificate new.site.com to site.com.
This is confused me that I have got root cert with the test name.
May be the best way to do that is to define filename for new.site.com’s certificate in command line, and set it to site.com

ajbool · August 2, 2016, 7:41am

I like the idea that we keep records of the certs we have generated - however I too have old certs I no longer wish to renew. I found that creating a new directory /etc/letsencrypt/renew_disabled and simply moving a domains’s renewal file from /etc/letsencrypt/renew into the new folder was enough for the certbot renew command not to action these domains.

acicali · August 29, 2016, 9:33pm

Not sure if there’s an officially supported way of doing this, but I wanted to add that in additional to the /live and /renewal directories, there’s also a copy of the cert in /archive.

find /etc/letsencrypt/ -name "*mydomain*"

moonoiuk · March 14, 2017, 11:31am

This worked for me, many thanks…

made a backup first though JIC,

sudo cp /etc/letsencrypt/ /etc/letsencrypt.backup -r

I deleted the ‘no longer needed domains’ in the three folders…

rm -rf /etc/letsencrypt/live/${DOMAIN}
rm -rf /etc/letsencrypt/renewal/${DOMAIN}.conf
rm -rf /etc/letsencrypt/archive/${DOMAIN}

jdavid · April 12, 2017, 7:43am

Type “certbot delete” and choose the certificate to delete from the list. It removes files from live, archive and renewal directories.

Should this issue be closed now that there is a command to do it?

Jimbolino · April 25, 2017, 11:52am

“certbot delete” is a good starting point, but it doesn’t remove the created apache vhost and settings.
So executing “service apache2 restart” will trigger a “AH00526: Syntax error”

JohnCC · April 26, 2017, 12:52am

It would be great also if we could just do certbot delete {$DOMAIN} – having to select from a numbered list and then input the number is a little clunky.

schoen · April 26, 2017, 12:56am

@JohnCC, you should already be able to do that with the --cert-name option. To find out the relevant cert name, you can run certbot certificates.

JohnCC · April 26, 2017, 2:01am

Thank you, sorry I missed that. That helps a lot!

andrewjs18 · July 6, 2017, 7:41am

hi,

thanks for the thread…I was wondering the same thing with a few certs that died off for me.

just to note, since I use certbot-auto on 1 of my servers, you can run this command using:

sudo ./certbot-auto delete

question I have now is - can I rename the .conf name is /archive, /live, & /renewal?

schoen · July 6, 2017, 4:26pm

@erica, is there a way to reach rename_lineage in the cert manager from the CLI?

erica · July 6, 2017, 6:56pm

Rename has not yet launched, because we stalled on the complexity of renaming certs within the configuration files. Currently I would recommend deleting and recreating the certs with a new name.