I tried to renew the certs for a few sites I have on the server. But, I'm getting "All renewal attempts failed...." errors for sites which I no longer have on that server. I renamed the apache configuration files under \sites-enabled to now have .bak extensions. I then restarted Apache, but certbot continues to try to renew certs for sites / domains I no longer have. Is there a certbot configuration to make old sites obsolete?
Certbot isn't aware of the deletion of the sites from Apache. It keeps its own list of certificates. You can run
certbot certificates to view all the certificates known to certbot. You can also see the "certificate name" in that list. And you can delete a certificate by running
certbot delete --cert-name certificate-name-you-found-in-the-list
Thank you. Definitely on the right path now. I removed two blatantly obsolete certificates.
However, the one remaining certificate continues to generate errors because it includes domains which I am currently using as well as references to domains that are now obsolete. Is there a way to remove the domains from the remaining certificate?
Unfortunately, no. However, there is an option called
--allow-subset-of-namestells Certbot to continue with certificate generation if only some of the specified domain authorizations can be obtained. This may be useful if some domains specified in a certificate no longer point at this system.
See for more info:
I would recommend to use that option only in combination with
--cert-name so you only renew that specific certificate with that option, because you might have a temporary failure for a hostname you actually want to keep in some other certificate, but gets removed due to this option. Renewing just one cert with this option will limit the possible fall out.
If you've already tried to renew the certificate before and all the other challenges have succeded, with only the to-be-removed hostnames ending in a failure, you should be fine.
Works perfectly. Thank you for the fantastic help and detailed explanations. Even a total novice like me can understand.
I might add that you can also use --cert-name name and specify the entire list of wanted domain names (with
-d "list,of,names") to change the domain names associated with a certificate. This allows you to remove the unneeded domain names from your certificate so they won't be renewed in the future (and thus you won't need to use
--allow-subset-of-names to avoid the errors).
@griffin Can you use that in combination with
renew? The power of
renew is that it'll keep all renewal configurations intact. I'm guessing that if you don't use
renew but with
certonly in combination with
-d, you'll also need to specify, for example,
--rsa-key-size again if necessary. And the authenticator and installer perhaps?
Certificate Nameshows the name of the certificate. Pass this name using the
--cert-nameflag to specify a particular certificate for the
Euh, yes, that I know, see my post where I recommend it
I meant using
I believe so. One of the best ways I've found to tweak a certificate is to use
--cert-name then specify the parameters you want to tweak.
The only "confirmation" I can find in the guide is the name of the section where
-d is found in the command line options:
obtain, install, and renew certificates:
runObtain & install a certificate in your current webserver
certonlyObtain or renew a certificate, but do not install it
renewRenew all previously obtained certificates that are near expiry
enhanceAdd security enhancements to your existing configuration
-d DOMAINSComma-separated list of domains to obtain a certificate for
This is weak. I know. There are many confusions just in that block of text alone:
certonlybeing called "obtain" (though it should just be called
certonlybeing used to "renew" a certificate (amazingly this confusing wording appears many times throughout the guide)
installnot being mentioned at all
- No clear indication if
-dcan be used with renew