I use the reverse proxy server nginx, on which I also manage LE certificates. There are about 10 domains that renew excellently.
Now I canceled 2 public domains, but their names still work in the local network.
I created my own CA for these 2 domains and it also works perfectly.
I didn't change anything in the nginx configuration, I just created new symlinks for my new certificates.
The domains no longer exist publicly and I don't want certbot to try to restore them.
However, I cannot remove anything from /etc/nginx/sites-available. Otherwise it wouldn't work locally.
I can basically ignore this problem, but I like a clean log.
There you should find certificates that contain the domains that are no longer publicly accessible [they may already show as "EXPIRED"].
Simply remove those unnecessary certs from certbot management with:
certbot delete --cert-name {actual cert name}
[repeat that step once per certificate that is no longer required]
I wonder what would happen when such a renewal attempt would remove the last remaining name from a cert...
With no names left to include in the renewed cert, certbot would have to either:
fail the rewewal completely
renew it as an empty cert and delete the cert altogether
In the first case, the "EXPIRED" cert would remain and the "clean log" request would remain [dirty].
In the second case, it would act as a delete request and mimic the first recommendation.
Please note that one must absolutely sure all required hostnames validate properly and only the hostnames that you want to have removed fail. Otherwise Certbot will remove any failed hostname from the certificate, even if that failure is a one-time temporary thing.
Solution: one can simply run certbot renew without the option to (try to) validate everything. Issuance won't work, but the already validated authorizations are cached.
It would perhaps be a great feature to have Certbot ask "Are you sure?" before continuing or something like that if run interactive.
@MikeMcQ beat me to it. Definitely update your Nginx config to pick your private CA certificates from somewhere other than /etc/letsencrypt.
If that means you have let the domain registrations expire and are still using the domains on your LAN, that also falls under the category of things that could eventually cause problems. Its not quite to level of the site I encountered that was running public US DOD IPs on the LAN because "the numbers looked cool".