How to remove a single alias from a certificate


When I first obtained my certificate, I specified several domain names with -d (,, etc.). Now, has been decomissioned and no longer resolves in DNS, but it’s still hanging around in the certificate. This causes certbot-auto renew to fail to renew the certificate for any of the other still valid aliases. The only way to get it to renew is to add the --allow-subset-of-names argument to the certbot-auto renew command. I don’t like having to kludge the command like this. Is there a way to remove just the alias and leave the others intact? Should I revoke the current cert and request a new one without


My domain is:

I ran this command:
certbot-auto renew

It produced this output:
The following certs are not due for renewal yet:
/etc/letsencrypt/live/ (skipped)
/etc/letsencrypt/live/ (skipped)
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/ (failure)

  • The following errors were reported by the server:

    Type: connection
    Detail: DNS problem: NXDOMAIN looking up A for

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

My operating system is (include version):
ubuntu server 16.04

My web server is (include version):
Apache/2.4.18 (Ubuntu)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


@rwright, Certbot does not have a good way to do this yet. This is a known problem and our colleagues are actively working on adding this functionality.

Right now the best thing to do would be to create a new certificate with only the domains that you want (you can ensure this happens by adding --duplicate to the Certbot command line). Once that’s working, you could delete or disable the previously existing certificate so that Certbot will no longer try to renew it.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.