How to remove a sub-domain from the renewal process

At some point I added a subdomain to my apache config
but this is no longer hosted by this server, and there is no residual apache config that I can find.
Yet certbot has this in the list of domains it tries to certify, and renewal fails because it can not verify it.
I do not know how to fix it.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: (or
failing is which I want certbot to forget

I ran this command:
sudo certbot renew --dry-run

It produced this output:

summary: failure for

Processing /etc/letsencrypt/renewal/

Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for
http-01 challenge for
http-01 challenge for
Waiting for verification…
Cleaning up challenges
Attempting to renew cert ( from /etc/letsencrypt/renewal/ produced an unexpected error: Failed authorization procedure. (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from "

404 Not Found

404 Not Found

</h". Skipping.

My web server is (include version):

The operating system my web server runs on is (include version):
ubuntu 16.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


Although certbot now provides option to allow you add a hostname into existing certificate, it doesn’t allow to remove one from it (as of today). Hense you will need to issue a new certificate with the two hostname

P.S. command needed:

  1. certbot --apache -d -d
  2. certbot delete (remove the current, 3 host name certificate)

Thank you

1 Like

If it’s a reasonably new version of Certbot, you can run a command similar to what was used to create the certificate:

sudo certbot --apache --cert-name -d -d

That will issue a new certificate and save it on place of the old one.

If you passed other options to Certbot when creating the old certificate – like a hook to do something – you have to replicate those as well.

1 Like

@mnordhoff’s suggestion is more accurate for current versions of Certbot.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.