How can I delete an inappropriate certificate?


#1

My problem is easy and simple.
I want to obtain a certificate that cover the whole site. That all URLs are over HTTPS. But it’s my first time to play with LetsEncrypt. And I can’t understand English documents accurately. So I made a mistake.
I have browsed through other help posts. I saw someone deleting the ‘auto-renew’ config directly, then it made the problem tricky. So I write a new post to ask for help. See How to remove old, bad configuration?

First time, I obtain for ‘domain.com’. But I found ‘sub.domain.com’ is not over HTTPS.
I used sudo certbot certonly and select 1: Spin up a temporary webserver (standalone)

Second time, I obtain for ‘*.domain.com’. The whole sub domains are over HTTPS. But Only ‘domain.com’ was broken down. Of course, I have implemented how to obtain for a wildcard certificate. So I don’t have more trouble with this step.
I used sudo certbot certonly -d "*.domain.com" --manual --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

I have two trouble:
(1) Now, I know I should add one more parameter like: -d example.com -d *.example.com. Is it right?

(2)And now, how can I remove the two wrong certificate?

And if there are any more wrong, could you please tell me?


#2

Hi @iwj

yes, this is right. Use these two domain names.

First, create and install the new certificate. If this works, then (weeks later):

Check your certificates with

certbot certificates

to find the internal certificate name. Then use

certbot delete [certificate name]

to remove that certificate.


#3

Oh, thanks! I’m very happy. :heart: :rose:

Great, certbot already has the command to remove the certificate. certbot delete

Fortunately, I did not delete these files directly. remove :joy:

Thank You!


#4

Update:

Maybe someone need this information. I just take a note below:

I created and installed a new certificate that include domain.com and *.domain.com. It works well.

And, today I want to remove the old and wrong certificate.

Thanks for JuergenAuer

I run certbot delete [certificate name]. But not works. It output:

usage:
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments:

Then, I try to use certbot delete, because in normal it will give some tips about delete command.

But it works, and it output all of my certificate with number(No 1, No2, etc)

So, I choose a number and press Enter, the target certificate was removed:

$ certbot delete
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which certificate(s) would you like to delete?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: xxx
2: xxx-0001
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Deleted all files relating to certificate xxx-0001
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

#5

What’s wrong with this? (Maybe you deleted the new one by mistake instead of the old one?)


#6

If you want to specify the certificate name to delete on the command line you can do so with the --cert-name option, eg

certbot delete --cert-name xxx-0001

#7

Thanks.

First time, I obtain for domain.com, and the application return me domain.com

Second time, I obtain for *.domain.com, return me *.domain.com

Third time, I obtain for domain.com & *.domain.com. In this time, the certbot create certificate in folder domain.com.

So. my first certificate and third certificate are in folder domain.com
my second certificate is in the folder domain-0001.


#8

By the way.
May I ask you for an another question?
As stated in my last reply, I create 3 certificates. Tht 1st 2nd is wrong, and the 3rd is the right certificate.

The 2nd certificate(in other folder) was already deleted. My 1st and 3rd certificate are in the same folder:

-rw-r--r-- 1 root root 2.1K Oct 15 23:07 cert1.pem # for domain.com
-rw-r--r-- 1 root root 2.2K Oct 16 23:32 cert2.pem # for *.domain.com & domain.com
-rw-r--r-- 1 root root 1.7K Oct 15 23:07 chain1.pem # for domain.com
-rw-r--r-- 1 root root 1.7K Oct 16 23:32 chain2.pem # for *.domain.com & domain.com
-rw-r--r-- 1 root root 3.8K Oct 15 23:07 fullchain1.pem # for domain.com
-rw-r--r-- 1 root root 3.8K Oct 16 23:32 fullchain2.pem # for *.domain.com & domain.com
-rw-r--r-- 1 root root 1.7K Oct 15 23:07 privkey1.pem # for domain.com
-rw-r--r-- 1 root root 1.7K Oct 16 23:32 privkey2.pem # for *.domain.com & domain.com

If it can be easily deleted, I will delete it. I feel tired on this issue. If it doesn’t affect my normal work, I don’t want to delete the extra certificate. I am not a patient with OCD.

In short, I only need the certificate of oct 16th. If it doesn’t affect anything, I will keep it.

Thanks again. Thank you for taking the time to help me resolve this issue. All of you guys are friendly and professional. I feel very happy.


#9

Normally Certbot maintains a complete history of all certificates and associated files in the archive directory, which we don’t expect users to look at or use most of the time. There’s no officially supported way to delete the older versions, but they shouldn’t affect anything.