How to remove old, bad configuration?

Hi!

A few months ago I created official certificates for my different web sites. I have two different domain names but because I didn’t know LE very well, I created everything in one command, which eventually I found not to be very good for maintenance. So I recreated certificates, one for each domain. It created new *-0001 dirs and files, which I’m using now.

Today I renewed my certificates simply using ./letsencrypt-auto renew and everything worked fine, but I saw that my old, unused certificates where also renewed:

Processing /etc/letsencrypt/renewal/domain1.com-0001.conf
new certificate deployed without reload, fullchain is /etc/letsencrypt/live/domain1.com-0001/fullchain.pem
Processing /etc/letsencrypt/renewal/domain1.com.conf
new certificate deployed without reload, fullchain is /etc/letsencrypt/live/domain1.com/fullchain.pem

In order to have something clean, I’d like to remove the old certificate (i.e. domain1.com.conf) and keep only the one I’m actually using.

How do I do that?

Thanks!

1 Like

Deleting /etc/letsencrypt/renewal/domain1.com.conf should do the trick. The client scans /etc/letsencrypt/renewal/ for .conf files and runs the renewal procedure for each file.

Thanks.

This will prevent the renewal, but will it also remove the certificate altogether? (i.e. I'd still have reference to this old certificate in /etc/letsencrypt/archive/ and /etc/letsencrypt/live/, right?)

It won’t delete any certificates or key files, no. If you’re not using any of those files, deleting the corresponding directories in /etc/letsencrypt/live/ and /etc/letsencrypt/archive/ shouldn’t cause any issues once you’ve removed the renewal config.

Simply deleting the live and archive directories is enough, I don’t need to revoke anything, it will be revoked by itself with time?

Revoking a certificate is something you want to do when your private key is compromised. There’s no reason to do it just because you’re not using the certificate anymore.

All right! Thanks for all these answers!

Just as a note, if you delete the .conf file without deleting the corresponding live and archive directories, you may encounter problems if you create a completely new certificate whose first domain name is exactly the same as the previous one. (Renewal should be fine.)

(If example.com.conf doesn’t exist anymore but live/example.com and archive/example.com do, no new certificate lineage can be created successfully whose first domain is example.com. Maybe we should have better error handling for this situation.)

Thanks, fortunately I deleted the conf file and the live and archive directories :wink:

I tried a renew --dry-run and it worked very well.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.