No longer using a subdomain certificates created for. Renewal dry-run indicates renewal will fail. How to fix?

When I created the certificates for the website using certbot I identified (as an example for this post) as well as the subdomain

At the time my DNS server was setup with an A-type record for, and I cannot recall if also an A-type record for the or if it was using a CNAME type record for the subdomain. In either case the original creation of the certificate was successful and included both domains; however, since that time I have decided not to support the www subdomain at all and just to go with a "naked" domain name approach for all URLs.

The issue is now I am trying to automate renewals for this certificate and during my testing with

certbot renew --dry-run

the results indicate that some of the challenges are failing - those related to - because the DNS records are not found (because I deleted them).

How should I best move forward to minimize issues? Should i just use certbot to delete the certificate, and create a new one that identifies only the primary domain?

Thank you for your advice!

1 Like

My advice would be to modify the existing certificate. See the Certbot user guide about changing the certificates hostnames here: User Guide — Certbot 1.27.0 documentation: Changing a Certificate’s Domains.

There unfortunately is no easier way to tell Certbot to drop or add a specific hostname from/to a certificate, the above guide requires using the -d option to tell Certbot the hostnames you want in the new cert. In your case with just two hostnames in the old cert and just a single one in the new cert this isn't really a big deal, but with large certs this could be a hassle. I'm also not sure what happens if you use the above guide with settings previously used, such as installer and/or authenticator options, perhaps webroot paths, I dunno. Only one way to find out: try it out!

Another option which can be interesting and would prevent the hassle above is the --allow-subset-of-names option to Certbot, which can be used with the renew subcommand. That option would tell Certbot to simply drop all failed hostnames and get a cert with just the hostnames which were successfully validated. Note that this can be a good thing AND a bad thing, depending on the reason of a failing hostname. In your case if the bare domain name validates successfully and just the www subdomain fails, this option could be an option to modify your cert.


Hi Osiris,

Thank you for tip and link to documentation.

I successfully used the -d option to renew the certificate while modifying to a new list of domain names; in this case just the primary.



This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.