which allows creation of individual certificates one per domain. This means that when you view the certificate via the padlock next to the URL in the browser, you will now only see the domain for that certificate listed, instead of a list of all the domains that are using a single certificate as before (which could have privacy implications)
using the above approach does mean having to start again and discarding the previous certificate. If you have a large number of sites to do in this way, bear in mind if there is a limit to how many certificates that let’s encrypt will issue in a certain space of time, so it would be best to stagger i.e. do a few domains each week, for example.
In more recent versions of Certbot, you can use certbot certificates to view what certificates you have and the names that Certbot uses to refer to them.
You can then also use --cert-name example.com to select a particular certificate. This is the only way to remove names, because you can then give a new list of the desired names with -d, which may be shorter than (or totally different from) the existing list of names.
Without --cert-name, or in older versions of Certbot that don’t understand it, there is no way to do this; Certbot will always create a separate certificate alongside the existing one.
Thanks (!). I try sudo certbot certificates that shows
Certificate Name: xxxxx.org
Domains: xxxxx.com, yyyyy.org, yyyyy.com, …
So I try sudo certbot --cert-name xxxxx.com and shows
Saving debug log to /var/log/letsencrypt/letsencrypt.log
No certificate found with name xxxxx.com
(expected /etc/letsencrypt/renewal/fabrincantes.com.conf).
PS: and I not understand the answer, can I delete an item from “Domains” list?
The --cert-name can only be the name shown on the “Certificate Name:” line. It can’t be any other name. That is the single name that Certbot uses to refer to the certificate in question.
You can delete an item from the Domains list by running certbot --cert-name xxxx.org -d xxxxx.com -d yyyy.org -d yyyy.com and omitting the item that you want to delete from the -d list.
The effect of this command is to replace the existing certificate by a new certificate containing only the domains specified by -d options, and no others. So if you don’t mention one with -d here, it will not be included in the new version of the certificate.
However, people just reading this last post should read back over the thread to learn about caveats using this flag as a rule. Specifically how intermittent failures of a single SAN authorization during renewal will cause that name to be dropped from the certificate silently, when this may not have been the desired or expected outcome.
The first, MyDomain1 is rubbish! (use a subset of MyDomain2 domains and removed-from-server domains), nobody using it… And not make sense a cert-name about domain that not exist.
The second is in production, I am using it (!).
How to delete only MyDomain1?
PS: Hi @schoen, some direct and reliable command? some clues for a reliable procedure?
Using certbot 0.19.0 the certificate name is the name reported by certbot certificates without any additional .org. If you add .org it will create a new certificate and does not update the previous one.
Thanks to @pfg for this answer. Several years later this thread helped enormously to clean up the domain-0001, domain-0002 cruft which had been gathering dust locally.