How to remove sites I removed from Apache?

I tried to renew the certs for a few sites I have on the server. But, I'm getting "All renewal attempts failed...." errors for sites which I no longer have on that server. I renamed the apache configuration files under \sites-enabled to now have .bak extensions. I then restarted Apache, but certbot continues to try to renew certs for sites / domains I no longer have. Is there a certbot configuration to make old sites obsolete?

3 Likes

Certbot isn't aware of the deletion of the sites from Apache. It keeps its own list of certificates. You can run certbot certificates to view all the certificates known to certbot. You can also see the "certificate name" in that list. And you can delete a certificate by running certbot delete --cert-name certificate-name-you-found-in-the-list

3 Likes

Thank you. Definitely on the right path now. I removed two blatantly obsolete certificates.

However, the one remaining certificate continues to generate errors because it includes domains which I am currently using as well as references to domains that are now obsolete. Is there a way to remove the domains from the remaining certificate?

3 Likes

Unfortunately, no. However, there is an option called --allow-subset-of-names:

--allow-subset-of-names tells Certbot to continue with certificate generation if only some of the specified domain authorizations can be obtained. This may be useful if some domains specified in a certificate no longer point at this system.

See for more info:

I would recommend to use that option only in combination with --cert-name so you only renew that specific certificate with that option, because you might have a temporary failure for a hostname you actually want to keep in some other certificate, but gets removed due to this option. Renewing just one cert with this option will limit the possible fall out.

If you've already tried to renew the certificate before and all the other challenges have succeded, with only the to-be-removed hostnames ending in a failure, you should be fine.

3 Likes

Works perfectly. Thank you for the fantastic help and detailed explanations. Even a total novice like me can understand.

4 Likes

I might add that you can also use --cert-name name and specify the entire list of wanted domain names (with -d "list,of,names") to change the domain names associated with a certificate. This allows you to remove the unneeded domain names from your certificate so they won't be renewed in the future (and thus you won't need to use --allow-subset-of-names to avoid the errors).

3 Likes

@griffin Can you use that in combination with renew? The power of renew is that it'll keep all renewal configurations intact. I'm guessing that if you don't use renew but with run or certonly in combination with -d, you'll also need to specify, for example, --rsa-key-size again if necessary. And the authenticator and installer perhaps?

3 Likes

Absolutely.

Certificate Name shows the name of the certificate. Pass this name using the --cert-name flag to specify a particular certificate for the run, certonly, certificates, renew, and delete commands.

2 Likes

Euh, yes, that I know, see my post where I recommend it :smiley:

I meant using -d.

2 Likes

I believe so. One of the best ways I've found to tweak a certificate is to use renew with --cert-name then specify the parameters you want to tweak.

The only "confirmation" I can find in the guide is the name of the section where -d is found in the command line options:

obtain, install, and renew certificates:
(default) run Obtain & install a certificate in your current webserver
certonly Obtain or renew a certificate, but do not install it
renew Renew all previously obtained certificates that are near expiry
enhance Add security enhancements to your existing configuration
-d DOMAINS Comma-separated list of domains to obtain a certificate for

This is weak. I know. There are many confusions just in that block of text alone:

  • certonly being called "obtain" (though it should just be called acquire)
  • certonly being used to "renew" a certificate (amazingly this confusing wording appears many times throughout the guide)
  • install not being mentioned at all
  • No clear indication if -d can be used with renew

2 Likes