I'm using Lightsail multisite to host a few of my websites (4 domains) and I used Let's Encrypt to create a certificate and sign (using Lego). I'm no longer hosting one of the domains and due to the certificate being generated for all 4 domains, I am no longer able to renew the certificate for the remaining 3 domains. I'm using Lego and not Certbot.
Is there someway to delete this domain from the certificate and renew?
If I read the lego documentation correctly with regard to renewing (Renew a Certificate :: Let’s Encrypt client and ACME library written in Go.), for renewal, lego should be run with the same options as earlier, but simply change the
run command to
I don't have experience with lego (reading the documentation it makes some unlogical decisions IMO, so I don't want to either), but to me this tells me you should simply be able to renew, but leave out one of the
I'm not specifying the domains. Just the main domain name and it picks all the domains to renew for from the previous list that it has. So when I try to renew it fails the DNS checks for the 4th domain and the certificate is not renewed.
I can't find anything related to adding or removing domains from existing certificates in the documentation. Maybe search/ask on their Github repo at go-acme/lego · Discussions · GitHub or perhaps Issues · go-acme/lego · GitHub?
I don't use lego either but from the docs it looks like you just re-create a new one with the names you want. Once your service is using this new cert you delete the older one you no longer need.
Thank you. I was trying to move the old certificates and create afresh as the link says. However my domains do not end with ".com" and now I am getting:
Domain name does not end with valid public suffix (TLD) error
Are they valid public DNS names?
What are the names?
I think I understood why the checks are failing. The sites are already https:// because the existing certificates are applied. The DNS checks look for http://. How do I delete the certs and revert the site back to http before I create new ones?
My sites are do-up.in and justexim.in
That doesn't make sense: DNS resolves hostnames and is not related to protocols like HTTP or HTTPS.
You don't need to delete any certs to serve a site via HTTP.
That can be done at any time [with or without certificates].
- You may need to remove any HTTP to HTTPS redirections (if any are used) to serve content directly via HTTP.
- If any other mechanism has been applied to induce HTTPS, that may need to be removed as well.
Like: HTTP Strict Transport Security - Wikipedia
Did you use the webroot method when you got your initial certs?
If so, is the webroot path the same in the HTTPS VirtualHost as it was in the HTTP VirtualHost? Maybe you just need to update the webroot path in your lego command?
Or, update the Apache VirtualHost so it does not redirect HTTP Challenge requests from HTTP to HTTPS. Maybe like this:
I had to update the PHP on my servers as well. So I took the slightly harder route of doing a back up of my website data, creating a brand new instance and setting up everything afresh. So I could create new certificates and get it all going.
Thank you for your helpful tips!
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.