How to remove old, bad configuration?


#1

Hi!

A few months ago I created official certificates for my different web sites. I have two different domain names but because I didn’t know LE very well, I created everything in one command, which eventually I found not to be very good for maintenance. So I recreated certificates, one for each domain. It created new *-0001 dirs and files, which I’m using now.

Today I renewed my certificates simply using ./letsencrypt-auto renew and everything worked fine, but I saw that my old, unused certificates where also renewed:

Processing /etc/letsencrypt/renewal/domain1.com-0001.conf
new certificate deployed without reload, fullchain is /etc/letsencrypt/live/domain1.com-0001/fullchain.pem
Processing /etc/letsencrypt/renewal/domain1.com.conf
new certificate deployed without reload, fullchain is /etc/letsencrypt/live/domain1.com/fullchain.pem

In order to have something clean, I’d like to remove the old certificate (i.e. domain1.com.conf) and keep only the one I’m actually using.

How do I do that?

Thanks!


How can I delete an inappropriate certificate?
#2

Deleting /etc/letsencrypt/renewal/domain1.com.conf should do the trick. The client scans /etc/letsencrypt/renewal/ for .conf files and runs the renewal procedure for each file.


#3

Thanks.

This will prevent the renewal, but will it also remove the certificate altogether? (i.e. I’d still have reference to this old certificate in /etc/letsencrypt/archive/ and /etc/letsencrypt/live/, right?)


#4

It won’t delete any certificates or key files, no. If you’re not using any of those files, deleting the corresponding directories in /etc/letsencrypt/live/ and /etc/letsencrypt/archive/ shouldn’t cause any issues once you’ve removed the renewal config.


#5

Simply deleting the live and archive directories is enough, I don’t need to revoke anything, it will be revoked by itself with time?


#6

Revoking a certificate is something you want to do when your private key is compromised. There’s no reason to do it just because you’re not using the certificate anymore.


#7

All right! Thanks for all these answers!


#8

Just as a note, if you delete the .conf file without deleting the corresponding live and archive directories, you may encounter problems if you create a completely new certificate whose first domain name is exactly the same as the previous one. (Renewal should be fine.)

(If example.com.conf doesn’t exist anymore but live/example.com and archive/example.com do, no new certificate lineage can be created successfully whose first domain is example.com. Maybe we should have better error handling for this situation.)


#9

Thanks, fortunately I deleted the conf file and the live and archive directories :wink:

I tried a renew --dry-run and it worked very well.


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.