Remove domain not required from cert


I’ve chosen to do the following:

  • which allows creation of individual certificates one per domain. This means that when you view the certificate via the padlock next to the URL in the browser, you will now only see the domain for that certificate listed, instead of a list of all the domains that are using a single certificate as before (which could have privacy implications)
  • using the above approach does mean having to start again and discarding the previous certificate. If you have a large number of sites to do in this way, bear in mind if there is a limit to how many certificates that let’s encrypt will issue in a certain space of time, so it would be best to stagger i.e. do a few domains each week, for example.


There are a simple way to do "certbot remove domain" when the domain is secondary (is an alternative name)?

PS : how to list main and alternative domains, to check it after remove?


In more recent versions of Certbot, you can use certbot certificates to view what certificates you have and the names that Certbot uses to refer to them.

You can then also use --cert-name to select a particular certificate. This is the only way to remove names, because you can then give a new list of the desired names with -d, which may be shorter than (or totally different from) the existing list of names.

Without --cert-name, or in older versions of Certbot that don’t understand it, there is no way to do this; Certbot will always create a separate certificate alongside the existing one.


Thanks (!). I try sudo certbot certificates that shows

  • Certificate Name:
  • Domains:,,,

So I try sudo certbot --cert-name and shows

Saving debug log to /var/log/letsencrypt/letsencrypt.log
No certificate found with name 
  (expected /etc/letsencrypt/renewal/

PS: and I not understand the answer, can I delete an item from “Domains” list?


The --cert-name can only be the name shown on the “Certificate Name:” line. It can’t be any other name. That is the single name that Certbot uses to refer to the certificate in question.

You can delete an item from the Domains list by running certbot --cert-name -d -d -d and omitting the item that you want to delete from the -d list.

The effect of this command is to replace the existing certificate by a new certificate containing only the domains specified by -d options, and no others. So if you don’t mention one with -d here, it will not be included in the new version of the certificate.


I found the command above was missing one tiny detail… certbot certonly --cert-name -d

Adding the certonly command, allowed certbot to run fine and remove the domain from the certificate


Thanks for the correction, that’s quite right! I’m glad it worked for you.


The easiest solution, that worked well for me is this command:

sudo certbot renew --allow-subset-of-names

I think the --allow-subset-of-names flag is new. People looking for a solution and finding this thread may find this useful.


However, people just reading this last post should read back over the thread to learn about caveats using this flag as a rule. Specifically how intermittent failures of a single SAN authorization during renewal will cause that name to be dropped from the certificate silently, when this may not have been the desired or expected outcome.


… And about “purge” a cert-name, preserving other?

The command certbot certificates at my server show something as:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
  Certificate Name: MyDomain1
    Domains: ...
    Expiry Date: 2017-10-24 10:22:00+00:00 (VALID: 73 days)
    Certificate Path: /etc/letsencrypt/live/MyDomain1/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/MyDomain1/privkey.pem
  Certificate Name: MyDomain2
    Domains: ....
    Expiry Date: 2017-11-10 02:22:00+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/MyDomain2/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/MyDomain2/privkey.pem

The first, MyDomain1 is rubbish! (use a subset of MyDomain2 domains and removed-from-server domains), nobody using it… And not make sense a cert-name about domain that not exist.

The second is in production, I am using it (!).

How to delete only MyDomain1?

PS: Hi @schoen, some direct and reliable command? some clues for a reliable procedure?



I’m uncertain what you want to do, but you can delete a certificate lineage and all of its files with “certbot delete --cert-name MyDomain1”.

If you want to keep the lineage, but add or remove names, how to do that should be explained earlier in this thread.


@mnordhoff’s suggestion is the standard way to do this from my point of view.