How to deactivate a cert

I am using the latest certbot on the latest Ubuntu and I am working directly on the server via SSH.
Let's say I have registered 23 domains for ssl: aaa.com through zzz.com
I get the certs and all is well until I realize aaa.com should have been spelled aba.com
There really is an aaa.com but it did not need a cert because it is redirected.
So I obtain the cert for aba.com in a separate execution of certbot.
Now I have 2 files in /etc/letsencrypt/live: aaa.com and aba.com
How do I deactivate aaa.com without affecting the other 22 domains so that I don't end up renewing an unused domain?

Certbot does not have a "deactivate" command. But you can delete the entire certificate. You just need to be sure you don't need it and more importantly: it's not being used by any software any longer.

See the certbot user guide on removing certificates for more info.

Thanks!
Will I still be able to add it back at some future date?

1 Like

Yes you can add it back right away even.
[But what would be the pint in that?]

In your example:

You seem to have overlooked requests to HTTPS://aaa.com/ can't be redirected if you don't have a cert to answer that secure request with.
You would only be able to redirect:

But NOT:

1 Like

Good point :slight_smile:

1 Like

Correct. There is no attempt to redirect the secure versions.

The directions seem over-complicated to me.
I am instructed to modify config files and set up self-signed certificates when all I wanted to do was make letsencrypt forget one cert.

That part's easy: certbot delete --cert-name foo.com. The problem is that if some server configuration is using that file, you've broken the server by deleting the certificate it needs. Hence the steps about modifying the config files.

1 Like

One entire cert?
OR
Only one name within a cert (that also contains many other names - you want to keep)?

The cert file aaa.com does contain 23 [names] certs in my example.
I guess I am using the term cert incorrectly.
When I said cert I meant a cert for only one domain.
If cert means every domain in the file, then I guess I am saying to delete one name.

Removing a name from a cert (and any other modification) requires the creation of a new cert.
There is no simple command to remove a name from a cert (that I know of).

If the name fails to validate, you could use the --allow-subset-of-names option.
image

If the name can be validated, then why are you trying to remove it (again)?

The name can be validated, but the secure form of it is not being used at this time.
http://aaa.com is being redirected to a secure site.
Nobody is going to type https://aaa.com so no need for a cert.
I was just trying to save a few bits and bandwidth for us and letsencrypt.
However, I would like to know how to recreate a cert.

That is easiest done with a successful renewal request:
Like with: cerbot renew
But that should renew all the names on the cert and merely extend the live of it.

There are browsers (today) that will take the input of "aaa.com" and look for "https://aaa.com/".
Security is of big concern these days - and it will only get bigger going forward.
HTTP is seeing it's last days...

You bring up a good point.
The client I am working with has over 250 domains if all redirects are counted.
If I were to allow letsencrypt to create a cert for all of them, wouldn't that go over the limit?

Yes; LE certs are limited to 100 entries.
So you would need to use multiple certs to cover that many entries.

When you say:

and

I'm wondering if they are mostly just subdomains within just a few domains?
OR
Actually 250+ completely separate domains?

The reason I ask is that wildcards could help reduce the number of entries greatly (in the first case).

They are all domains.
This is a major client with oodles of domains.
So, when certbot lists all the domains and asks me to select all or enter numbers, I don't suppose I can enter 1-100.

Now that would be useful.
If it can't, (IMO) it would be a reasonable feature request.

Feature requested!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.