Remove domain not required from cert

Right now, the procedure for that would probably be something like this:

Before you start, create a backup of /etc/letsencrypt just in case, i.e. cp /etc/letsencrypt/ /etc/letsencrypt.backup -r

Let’s say you have two certificate lineages, foo.example.com and bar.example.com.
The certificates for foo.example.com are stored in /etc/letsencrypt/live/foo.example.com, for bar.example.com in /etc/letsencrypt/live/bar.example.com.

If you’re unsure which lineage contains which domains, try this for all subdirectories in /etc/letsencrypt/live:

openssl x509 -in /etc/letsencrypt/live/example.com/cert.pem -text -noout | grep DNS

If you want to remove everything in the bar.example.com lineage (that is, bar.example.com and any other domains covered by that certificate), you can delete the following files:

rm -rf /etc/letsencrypt/live/bar.example.com/
rm -rf /etc/letsencrypt/archive/bar.example.com/
rm /etc/letsencrypt/renewal/bar.example.com.conf

That’s it.

If you just want to remove one (or a couple) of domains that were included in the bar.example.com - let’s say you don’t want sample.bar.example.com, but still need othersample.bar.example.com and bar.example.com - you can use the same rm commands, and afterwards request a new certificate using only the domains you want to keep. Full example (with webroot, but you can of course use whatever you initially used to get the certificates):

rm -rf /etc/letsencrypt/live/bar.example.com/
rm -rf /etc/letsencrypt/archive/bar.example.com/
rm /etc/letsencrypt/renewal/bar.example.com.conf
# this will install a new certificate in bar.example.com, excluding sample.bar.example.com
./letsencrypt-auto certonly --webroot -d bar.example.com -d othersample.bar.example.com -w /var/www/html/

If anything goes wrong while you’re doing this, run mv /etc/letsencrypt /etc/letsencrypt.broken && mv /etc/letsencrypt.backup/ /etc/letsencrypt and you’re back where you started. :smile:

Hope this helps!

11 Likes