Is there a way to exclude specific domains from Certbot?


I’m using domains from an alternate DNS root and Certbot breaks when I try to run it with those domains in the server files. Is there a way to list domains to be excluded each time I run Certbot?


Do you mean like .onion or .bit or .internal?

How does Certbot break?

If you know exactly which domains you want, you should be able to just do:

certbot --apache -d -d

and it won’t bother about any other domains.


Does the -d flag remove those domains? If so it will be easy to put them into a file.

I’m using OpenNIC domains.


-d specifies which domains you want to be included on a certificate.

Certbot shouldn’t be “breaking” when it encounters domains it can’t resolve. I’d like to see what the actual error/output is, so that we can differentiate between a validation error (i.e. CA thinks the DNS doesn’t resolve) or an actual error/bug (Certbot can’t parse webserver config).

The answer to your question relies on that.


It says there was an error because a name didn’t end it a public suffix. Specifying a list of domains with a file would also work.


Cool, that’s an expected CA error.

So using a bunch of -d is probably your best option.

Edit: I suggested --allow-subset-of-names but on second thought that probably won’t work, because the alternate root domains would be rejected at the new-order stage, not during validation. Sorry! Your use case is not that common I guess.


I’m confused…
How are names being included?
How is that process including names you don’t want included?