A few months ago I created official certificates for my different web sites. I have two different domain names but because I didn’t know LE very well, I created everything in one command, which eventually I found not to be very good for maintenance. So I recreated certificates, one for each domain. It created new *-0001 dirs and files, which I’m using now.
Today I renewed my certificates simply using ./letsencrypt-auto renew and everything worked fine, but I saw that my old, unused certificates where also renewed:
Processing /etc/letsencrypt/renewal/domain1.com-0001.conf
new certificate deployed without reload, fullchain is /etc/letsencrypt/live/domain1.com-0001/fullchain.pem
Processing /etc/letsencrypt/renewal/domain1.com.conf
new certificate deployed without reload, fullchain is /etc/letsencrypt/live/domain1.com/fullchain.pem
In order to have something clean, I’d like to remove the old certificate (i.e. domain1.com.conf) and keep only the one I’m actually using.
Deleting /etc/letsencrypt/renewal/domain1.com.conf should do the trick. The client scans /etc/letsencrypt/renewal/ for .conf files and runs the renewal procedure for each file.
This will prevent the renewal, but will it also remove the certificate altogether? (i.e. I'd still have reference to this old certificate in /etc/letsencrypt/archive/ and /etc/letsencrypt/live/, right?)
It won’t delete any certificates or key files, no. If you’re not using any of those files, deleting the corresponding directories in /etc/letsencrypt/live/ and /etc/letsencrypt/archive/ shouldn’t cause any issues once you’ve removed the renewal config.
Revoking a certificate is something you want to do when your private key is compromised. There’s no reason to do it just because you’re not using the certificate anymore.
Just as a note, if you delete the .conf file without deleting the corresponding live and archive directories, you may encounter problems if you create a completely new certificate whose first domain name is exactly the same as the previous one. (Renewal should be fine.)
(If example.com.conf doesn’t exist anymore but live/example.com and archive/example.com do, no new certificate lineage can be created successfully whose first domain is example.com. Maybe we should have better error handling for this situation.)
