No longer using a subdomain certificates created for. Renewal dry-run indicates renewal will fail. How to fix?

When I created the certificates for the website using certbot I identified (as an example for this post) mydomain.com as well as the subdomain www.mydomain.com.

At the time my DNS server was setup with an A-type record for mydomain.com, and I cannot recall if also an A-type record for the www.mydomain.com or if it was using a CNAME type record for the subdomain. In either case the original creation of the certificate was successful and included both domains; however, since that time I have decided not to support the www subdomain at all and just to go with a "naked" domain name approach for all URLs.

The issue is now I am trying to automate renewals for this certificate and during my testing with

certbot renew --dry-run

the results indicate that some of the challenges are failing - those related to www.mydomain.com - because the DNS records are not found (because I deleted them).

How should I best move forward to minimize issues? Should i just use certbot to delete the certificate, and create a new one that identifies only the primary domain?

Thank you for your advice!

1 Like

My advice would be to modify the existing certificate. See the Certbot user guide about changing the certificates hostnames here: User Guide — Certbot 1.27.0 documentation: Changing a Certificate’s Domains.

There unfortunately is no easier way to tell Certbot to drop or add a specific hostname from/to a certificate, the above guide requires using the -d option to tell Certbot the hostnames you want in the new cert. In your case with just two hostnames in the old cert and just a single one in the new cert this isn't really a big deal, but with large certs this could be a hassle. I'm also not sure what happens if you use the above guide with settings previously used, such as installer and/or authenticator options, perhaps webroot paths, I dunno. Only one way to find out: try it out!

Another option which can be interesting and would prevent the hassle above is the --allow-subset-of-names option to Certbot, which can be used with the renew subcommand. That option would tell Certbot to simply drop all failed hostnames and get a cert with just the hostnames which were successfully validated. Note that this can be a good thing AND a bad thing, depending on the reason of a failing hostname. In your case if the bare domain name validates successfully and just the www subdomain fails, this option could be an option to modify your cert.

6 Likes

Hi Osiris,

Thank you for tip and link to documentation.

I successfully used the -d option to renew the certificate while modifying to a new list of domain names; in this case just the primary.

craig

3 Likes