How to disable auto renew for a domain?

I’m using certbot-auto to request & renew certificates.

In general, it’s working fine for my individual domains.

I just started using DNS validation so I can take advantage of wildcard certificates. I have a script that seems to be doing what I need (I was able to request, and validate, a wildcard certificate) with certbot-auto’s manual authentication mechanism.

The problem is, I still have domains on the machine that are using the old tls-sni mechanism.

I want certbot-auto to renew the other domains automatically but not renew the domain I’m validating with DNS via the script.

Is there a way to configure certbot-auto to NOT renew a certificate when running the renew command?

Thanks!

david

I believe you can use the --cert-name flag to specify:

renew
Renew all certificates (or one specified with --cert-name)

https://certbot.eff.org/docs/using.html#certbot-command-line-options

Hello @fallingrock,
You may have already seen these resources, but an earlier discussion from Multiple domain renewal config file may help get you started.

@jared.m is spot on… the documentation on Certbot Command Line Options is extremely useful.

“certbot renew” is going to want to do them all by default… But if I’m not mistaken, the “-d (domain) options” might suit your needs. If it were me, I’d consider working out two separate requests… One for the wildcard certificate and a second for your individual cert(s) respectively. If it works out you could then script it and create a crontab to automate the process for the future. Keep in mind that your cli.ini (wherever your platform stores it can override your input so make sure cli.ini contains only global options compatible with both your “certificate profiles”.

A long time ago, we created an option called autorenew in the renewal configuration file in /etc/letsencrypt/renewal. It should be possible to set autorenew = False up at the top of an individual renewal configuration file and then have that particular certificate be skipped over entirely by certbot renew.

However, I think you may be the first user ever to ask about this on the forum, so I wouldn’t call this feature well-tested. I’d be glad to hear about how well it works!

2 Likes

@schoen, Would it be acceptable to renew for the “special domains” followed by certbot renew to catch the other wildcard (sub)domains ?
Something like "certbot renew --apache --cert-name welike.pizza --cert-name www.welike.pizza && certbot renew " ?

The former command is simply not supported by certbot renew at all, not because it's logically impossible or anything, but just because we haven't implemented it that way.

You are right, of course. When I run:
certbot renew --apache --cert-name www.blah-blah.com --cert-name blah-blah.com certbot doesn’t complain, but it does ignore the first --cert-name option.
Perhaps employing your solution with “set autorenew = False” in the renewal configuration file is the best way to proceed. (I have a similar issue as @fallingrock and have been pounding the documentation for the “correct way” to address it)
Thanks Much!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.