I use the reverse proxy server nginx, on which I also manage LE certificates. There are about 10 domains that renew excellently.
Now I canceled 2 public domains, but their names still work in the local network.
I created my own CA for these 2 domains and it also works perfectly.
I didn't change anything in the nginx configuration, I just created new symlinks for my new certificates.

sudo ln -sf ~/www.example.com.pem /etc/letsencrypt/live/example.com/fullchain.pem
sudo ln -sf ~/www.example.com-key.pem /etc/letsencrypt/live/example.com/privkey.pem
sudo nginx -t && sudo systemctl reload nginx

The domains no longer exist publicly and I don't want certbot to try to restore them.
However, I cannot remove anything from /etc/nginx/sites-available. Otherwise it wouldn't work locally.

I can basically ignore this problem, but I like a clean log.

Start with the output of:

certbot certificates

There you should find certificates that contain the domains that are no longer publicly accessible [they may already show as "EXPIRED"].
Simply remove those unnecessary certs from certbot management with:

certbot delete --cert-name {actual cert name}

[repeat that step once per certificate that is no longer required]

Think he may have all of them in single certificate and want to unload some names from it

That is unclear.
If that is the case, then renewing without those "EXPIRED" names is simpler choice:

certbot renew --allow-subset-of-names

I wonder what would happen when such a renewal attempt would remove the last remaining name from a cert...

With no names left to include in the renewed cert, certbot would have to either:

• fail the rewewal completely
• renew it as an empty cert and delete the cert altogether

In the first case, the "EXPIRED" cert would remain and the "clean log" request would remain [dirty].
In the second case, it would act as a delete request and mimic the first recommendation.

Please note that one must absolutely sure all required hostnames validate properly and only the hostnames that you want to have removed fail. Otherwise Certbot will remove any failed hostname from the certificate, even if that failure is a one-time temporary thing.

Solution: one can simply run certbot renew without the option to (try to) validate everything. Issuance won't work, but the already validated authorizations are cached.

It would perhaps be a great feature to have Certbot ask "Are you sure?" before continuing or something like that if run interactive.

The following name(s) will be removed from this cert: x name, y name, z name
Do you want to continue? [y/N]

Something like that would be nice.

You really should change the nginx config to use your new certs directly. Having a symlink to a Certbot folder is asking for trouble.

@MikeMcQ beat me to it. Definitely update your Nginx config to pick your private CA certificates from somewhere other than /etc/letsencrypt.

If that means you have let the domain registrations expire and are still using the domains on your LAN, that also falls under the category of things that could eventually cause problems. Its not quite to level of the site I encountered that was running public US DOD IPs on the LAN because "the numbers looked cool".

I restored LXC from a backup where everything is valid (that means where there are valid certificates, but already expired).
I ran the command

sudo certbot certificates

I deleted the certificate

sudo certbot delete --cert-name example.com

also a symlink

sudo unlink /etc/nginx/sites-enabled/www.example.com

I modified the path to the new certificate in the configuration

sudo nano /etc/nginx/sites-available/www.example.com

I created a new symlink and reload nginx

sudo ln -s /etc/nginx/sites-available/www.example.tk /etc/nginx/sites-enabled/www.example.tk
sudo nginx -t && sudo systemctl reload nginx

When I run renew to dry

sudo certbot renew --dry-run

Everything works great