Deleting certificates

I’ve run into an issue that I can’t seem to find an answer to elsewhere. I have recently deleted two domains from my server as well as a subdomain. I deleted the SSL certificates, but when I do a dry run for renewing the certificates, certbot seems to still be looking for those domains and trying to generate certificates for them (see the output below). The domains that were deleted from my VPS were: jsumerau.com, writewhereithurts.net, and games.ryananddebi.com. Is there a way to get certbot to stop looking for these domains and trying to renew certificates for them?

I didn’t include all of the output, just the errors. I also deleted a lot of the “.coms” to limit the number of URLs.

(NOTE: This isn’t time-sensitive as all my certificates for the domains I am still hosting are working fine. I’d just like to have this solved before it’s time to renew the certificates so there are not errors.)

My primary domain is: www.ryantcragun.com

I ran this command: certbot renew --dry-run

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Encountered vhost ambiguity when trying to find a vhost for games.ryananddebi.com but was unable to ask for user guidance in non-interactive mode. Certbot may need vhosts to be explicitly labelled with ServerName or ServerAlias directives.
*Falling back to default vhost :443…
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (ryananddebi.com) from /etc/letsencrypt/renewal/ryananddebi.com.conf produced an unexpected error: Failed authorization procedure. games.ryananddebi (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for games.ryananddebi. Skipping.

Processing /etc/letsencrypt/renewal/bgreatinitiative.net.conf

Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:

Waiting for verification…
Cleaning up challenges

Encountered vhost ambiguity when trying to find a vhost for games.ryananddebi.com but was unable to ask for user guidance in non-interactive mode. Certbot may need vhosts to be explicitly labelled with ServerName or ServerAlias directives.
*Falling back to default vhost :443…
Encountered vhost ambiguity when trying to find a vhost for jsumerau.com but was unable to ask for user guidance in non-interactive mode. Certbot may need vhosts to be explicitly labelled with ServerName or ServerAlias directives.
*Falling back to default vhost :443…
Encountered vhost ambiguity when trying to find a vhost for writewhereithurts.net but was unable to ask for user guidance in non-interactive mode. Certbot may need vhosts to be explicitly labelled with ServerName or ServerAlias directives.
*Falling back to default vhost :443…
Encountered vhost ambiguity when trying to find a vhost for www.jsumerau.com but was unable to ask for user guidance in non-interactive mode. Certbot may need vhosts to be explicitly labelled with ServerName or ServerAlias directives.
*Falling back to default vhost :443…
Encountered vhost ambiguity when trying to find a vhost for www.writewhereithurts.net but was unable to ask for user guidance in non-interactive mode. Certbot may need vhosts to be explicitly labelled with ServerName or ServerAlias directives.
*Falling back to default vhost :443…
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (www.ryantcragun) from /etc/letsencrypt/renewal/www.ryantcragun.com.conf produced an unexpected error: Failed authorization procedure. writewhereithurts (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested a257def2dc4c052c06b0d1ffedf6ed70.cd6347b7d6d3de979ad5bde140dedb79.acme.invalid from 50.116.93.137:443. Received 3 certificate(s), first certificate had names “.hostgator.com, hostgator", www.jsumerau.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested eb4caf4eef234bb2c6141c5a085c1d4f.045959d18c7143dd2f111b91fe00d3f3.acme.invalid from 50.116.93.138:443. Received 3 certificate(s), first certificate had names ".hostgator.com, hostgator”, games.ryananddebi.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for games.ryananddebi, www.writewhereithurts.net (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested ae81654ba6dc6fa88e76a7013b14cb03.dfa3a7f754a2ae1dec6ff0ea30411f75.acme.invalid from 50.116.93.137:443. Received 3 certificate(s), first certificate had names “.hostgator.com, hostgator", jsumerau.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 70a2cee03ecabc458cbcc5ac464171c7.728d1f76ab3efd1c86f910938b11cde7.acme.invalid from 50.116.93.138:443. Received 3 certificate(s), first certificate had names ".hostgator.com, hostgator”. Skipping.

The following certs could not be renewed:
/etc/letsencrypt/live/ryananddebi.com/fullchain.pem (failure)
/etc/letsencrypt/live/www.ryantcragun.com/fullchain.pem (failure)

** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

The following certs were successfully renewed:
/etc/letsencrypt/live/bgreatinitiative.net/fullchain.pem (success)
/etc/letsencrypt/live/ryantcragun.com/fullchain.pem (success)
/etc/letsencrypt/live/deborahcragun.com/fullchain.pem (success)
/etc/letsencrypt/live/inheritedcancer.net/fullchain.pem (success)
/etc/letsencrypt/live/focusoutcomes.com/fullchain.pem (success)

The following certs could not be renewed:
/etc/letsencrypt/live/ryananddebi.com/fullchain.pem (failure)
/etc/letsencrypt/live/www.ryantcragun.com/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)

2 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:
** - The following errors were reported by the server:**

** Domain: games.ryananddebi**
** Type: connection**
** Detail: DNS problem: NXDOMAIN looking up A for**
** games.ryananddebi**

** To fix these errors, please make sure that your domain name was**
** entered correctly and the DNS A/AAAA record(s) for that domain**
** contain(s) the right IP address. Additionally, please check that**
** your computer has a publicly routable IP address and that no**
** firewalls are preventing the server from communicating with the**
** client. If you’re using the webroot plugin, you should also verify**
** that you are serving files from the webroot path you provided.**
** - The following errors were reported by the server:**

** Domain: games.ryananddebi**
** Type: connection**
** Detail: DNS problem: NXDOMAIN looking up A for**
** games.ryananddebi**

** To fix these errors, please make sure that your domain name was**
** entered correctly and the DNS A/AAAA record(s) for that domain**
** contain(s) the right IP address. Additionally, please check that**
** your computer has a publicly routable IP address and that no**
** firewalls are preventing the server from communicating with the**
** client. If you’re using the webroot plugin, you should also verify**
** that you are serving files from the webroot path you provided.**
** - The following errors were reported by the server:**

** Domain: writewhereithurts**
** Type: unauthorized**
** Detail: Incorrect validation certificate for tls-sni-01 challenge.**
** Requested**
** a257def2dc4c052c06b0d1ffedf6ed70.cd6347b7d6d3de979ad5bde140dedb79.acme.invalid**
** from 50.116.93.137:443. Received 3 certificate(s), first**
** certificate had names “*.hostgator.com, hostgator”**

** Domain: www.jsumerau**
** Type: unauthorized**
** Detail: Incorrect validation certificate for tls-sni-01 challenge.**
** Requested**
** eb4caf4eef234bb2c6141c5a085c1d4f.045959d18c7143dd2f111b91fe00d3f3.acme.invalid**
** from 50.116.93.138:443. Received 3 certificate(s), first**
** certificate had names “*.hostgator.com, hostgator”**

** Domain: www.writewhereithurts**
** Type: unauthorized**
** Detail: Incorrect validation certificate for tls-sni-01 challenge.**
** Requested**
** ae81654ba6dc6fa88e76a7013b14cb03.dfa3a7f754a2ae1dec6ff0ea30411f75.acme.invalid**
** from 50.116.93.137:443. Received 3 certificate(s), first**
** certificate had names “*.hostgator.com, hostgator”**

** Domain: jsumerau**
** Type: unauthorized**
** Detail: Incorrect validation certificate for tls-sni-01 challenge.**
** Requested**
** 70a2cee03ecabc458cbcc5ac464171c7.728d1f76ab3efd1c86f910938b11cde7.acme.invalid**
** from 50.116.93.138:443. Received 3 certificate(s), first**
** certificate had names “*.hostgator.com, hostgator”**

** To fix these errors, please make sure that your domain name was**
** entered correctly and the DNS A/AAAA record(s) for that domain**
** contain(s) the right IP address.**

My web server is (include version): apache2 (2.4.18)

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: linode.com

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Hi @rcragun,

How did you delete your certificates?

What do you see now if you run certbot certificates?

I used the following command:
certbot delete --cert-name [domain]

I ran the certbot certificates command and got back 6 certificates. Only one of them includes the domains I no longer want. Here’s the output from that certificate (with the “.com” and “.net” removed so I can post the output):

Certificate Name: www.ryantcragun.com
Domains: bgreatinitiative deborahcragun focusoutcomes games.ryananddebi geneticrisk.deborahcragun inheritedcancer jsumerau lynchscreening mattwinston mormonsocialscience patelvolunteers researchsurveyor richardleontile ryananddebi ryancragun ryantcragun writewhereithurts www.bgreatinitiative www.deborahcragun www.focusoutcomes www.inheritedcancer www.jsumerau www.lynchscreening www.mattwinston www.mormonsocialscience www.patelvolunteers www.researchsurveyor www.richardleontile www.ryananddebi www.ryancragun www.ryantcragun www.writewhereithurts yougrade.inheritedcancer
Expiry Date: 2018-03-14 02:01:44+00:00 (VALID: 37 days)
Certificate Path: /etc/letsencrypt/live/www.ryantcragun.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.ryantcragun.com/privkey.pem

The domains that are bolded are domains and certificates I deleted.

This is one certificate with a bunch of domain names, including a few you don’t want anymore. Rather than delete it, you want to reissue that certificate, just without the names you don’t want anymore.

The easiest way to do that is to run:

sudo certbot renew --allow-subset-of-names

This will attempt to renew the certificate and automatically discard any domain names that are no longer working.

The downside of this method is that if there is a domain you want, but some temporary issue prevents the domain from being properly validated, it will also be removed. So be sure to carefully check the resulting certificate to make sure it still contains all the names you want if you do it this way.

The safer, but more complicated method, is to repeat the command you used to issue the certificate the first time, listing all the domains you still want on it.

@Patches, thank you for the suggestion. I tried that, but, because I have 6 certificates on my server (not sure why I do; I need to fix that), it didn’t work.

However, I think I figured out the solution.

I had to choose the specific certificate I wanted to renew:
certbot certonly --cert-name www.ryantcragun .com

Then, as certbot walked me through the process of renewing that certificate, it figured out which domains were not working and removed them from the certificate.

I think I understand what is going on, now. Because I have multiple certificates (some of which have the same domains - which I need to resolve), when I renewed a certificate, it wasn’t the one that included the domains I wanted to get rid of. But the “certbot renew --dry-run” was showing what would happen if I tried to renew all the certificates, and some of them still included the obselete/deleted domains.

I’m obviously doing something wrong if I’ve got multiple certificates with overlapping domains. I’ll figure that out. But your suggestions sent me down the right path of realizing that I had multiple certificates with overlapping domains.

I think we can mark this resolved.

I'm glad you got it fixed up!

It isn't necessarily "wrong".

Let's Encrypt's official advice regarding this topic is:

Our issuance policy allows for up to 100 names per certificate. Whether you use a separate certificate for every hostname, or group together many hostnames on a small number of certificates, is up to you.

Using separate certificates per hostname means fewer moving parts are required to logically add and remove domains as they are provisioned and retired. Separate certificates also minimize certificate size, which can speed up HTTPS handshakes on low-bandwidth networks.

On the other hand, using large certificates with many hostnames allows you to manage fewer certificates overall. If you need to support older clients like Windows XP that do not support TLS Server Name Indication (SNI), you’ll need a unique IP address for every certificate, so putting more names on each certificate reduces the number of IP addresses you’ll need.

For most deployments both choices offer the same security.

You've just learned the "Using separate certificates per hostname means fewer moving parts are required to logically add and remove domains as they are provisioned and retired." part the hard way.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.