How to remove a sub-domain from the renewal process

At some point I added a subdomain to my apache config
support.growthpath.com.au
but this is no longer hosted by this server, and there is no residual apache config that I can find.
Yet certbot has this in the list of domains it tries to certify, and renewal fails because it can not verify it.
I do not know how to fix it.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: growthpath.com.au (or www.growthpath.com.au)
failing is support.growthpath.com.au which I want certbot to forget

I ran this command:
sudo certbot renew --dry-run

It produced this output:

summary: failure for support.growthpath.com.au


Processing /etc/letsencrypt/renewal/growthpath.com.au.conf

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for growthpath.com.au
http-01 challenge for www.growthpath.com.au
http-01 challenge for support.growthpath.com.au
Waiting for verification…
Cleaning up challenges
Attempting to renew cert (growthpath.com.au) from /etc/letsencrypt/renewal/growthpath.com.au.conf produced an unexpected error: Failed authorization procedure. support.growthpath.com.au (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://support.growthpath.com.au/.well-known/acme-challenge/rQ77ytD45e1srS7obEVISdgZOyoFqCuV3pgPa4HQN2k: "

404 Not Found

404 Not Found

</h". Skipping.

My web server is (include version):
apache

The operating system my web server runs on is (include version):
ubuntu 16.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

Hi,

Although certbot now provides option to allow you add a hostname into existing certificate, it doesn’t allow to remove one from it (as of today). Hense you will need to issue a new certificate with the two hostname

P.S. command needed:

  1. certbot --apache -d growthpath.com.au -d www.growthpath.com.au
  2. certbot delete (remove the current, 3 host name certificate)

Thank you

1 Like

If it's a reasonably new version of Certbot, you can run a command similar to what was used to create the certificate:

sudo certbot --apache --cert-name growthpath.com.au -d growthpath.com.au -d www.growthpath.com.au

That will issue a new certificate and save it on place of the old one.

If you passed other options to Certbot when creating the old certificate -- like a hook to do something -- you have to replicate those as well.

1 Like

@mnordhoff’s suggestion is more accurate for current versions of Certbot.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.