At some point in the medium term I might move a subdomain to a new server.
I imagine I would need to run the initial commands on the new server (including, from memory, sudo certbot --apache -d a.domain1.com).
I think on the existing server I'd have to run the usual certbot command again, from scratch, just without listing the missing subdomain. Or is there a way of just removing the missing subdomain without creating a new certificate? I've seen several comments about avoiding wasting resources.
You cannot everchange a specific certificate after it has been issued. That's the whole idea behind the cryptographic principles of the certificate. Any change in a certificate requires a new issuance of th certificate.
That said, there is an option called --allow-subset-of-names which will drop any hostname from the certificate if it doesn't verify correctly at renewal (i.e., when you'd run certbot renew --allow-subset-of-names). However, if a hostname you do want included in the certificate fails for some reason, it won't be included either. See the documentation:
--allow-subset-of-names
When performing domain validation, do not consider it
a failure if authorizations can not be obtained for a
strict subset of the requested domains. This may be
useful for allowing renewals for multiple domains to
succeed even if some domains no longer point at this
system. This option cannot be used with --csr.
(default: False)
Of course you can check if the staging server verifies all the required hostnames correctly using --dry-run, but there is always a slight chance of discrepancy between the staging and production environments (although that shouldn't happen of course, however, there have been performance issues with the dns-01 challenge from secondary vantage points of the production environment if I recall correctly).
At the moment, the only other option to remove hostnames from a certificate (although the certificate itself can't be changed, it is of course convenient to speak as if you could ) is to issue a new certificate with the whole CLI command including al the required options and hostnames, but now without the hostnames you want left out.
By the way, the certbot team is aware this is not ideal, but the issue on Github is still open after two years with priority "Wishlist". So it seems the team doesn't think it's a big deal. (I personally disagree.)
) is to issue a new certificate with the whole CLI command including al the required options and hostnames, but now without the hostnames you want left out.