Remove domain not required from cert

therobyouknow · November 26, 2016, 4:23pm

I’ve chosen to do the following:

which allows creation of individual certificates one per domain. This means that when you view the certificate via the padlock next to the URL in the browser, you will now only see the domain for that certificate listed, instead of a list of all the domains that are using a single certificate as before (which could have privacy implications)
using the above approach does mean having to start again and discarding the previous certificate. If you have a large number of sites to do in this way, bear in mind if there is a limit to how many certificates that let’s encrypt will issue in a certain space of time, so it would be best to stagger i.e. do a few domains each week, for example.

ppKrauss · March 15, 2017, 9:45pm

There are a simple way to do "certbot remove domain" when the domain is secondary (is an alternative name)?

PS : how to list main and alternative domains, to check it after remove?

schoen · March 15, 2017, 10:12pm

In more recent versions of Certbot, you can use certbot certificates to view what certificates you have and the names that Certbot uses to refer to them.

You can then also use --cert-name example.com to select a particular certificate. This is the only way to remove names, because you can then give a new list of the desired names with -d, which may be shorter than (or totally different from) the existing list of names.

Without --cert-name, or in older versions of Certbot that don’t understand it, there is no way to do this; Certbot will always create a separate certificate alongside the existing one.

ppKrauss · March 15, 2017, 10:22pm

Thanks (!). I try sudo certbot certificates that shows

Certificate Name: xxxxx.org
Domains: xxxxx.com, yyyyy.org, yyyyy.com, …

So I try sudo certbot --cert-name xxxxx.com and shows

Saving debug log to /var/log/letsencrypt/letsencrypt.log
No certificate found with name xxxxx.com 
  (expected /etc/letsencrypt/renewal/fabrincantes.com.conf).

PS: and I not understand the answer, can I delete an item from “Domains” list?

schoen · March 15, 2017, 10:30pm

The --cert-name can only be the name shown on the “Certificate Name:” line. It can’t be any other name. That is the single name that Certbot uses to refer to the certificate in question.

You can delete an item from the Domains list by running certbot --cert-name xxxx.org -d xxxxx.com -d yyyy.org -d yyyy.com and omitting the item that you want to delete from the -d list.

The effect of this command is to replace the existing certificate by a new certificate containing only the domains specified by -d options, and no others. So if you don’t mention one with -d here, it will not be included in the new version of the certificate.

dlintott · April 27, 2017, 10:58am

I found the command above was missing one tiny detail… certbot certonly --cert-name xxxx.org -d xxxx.org.

Adding the certonly command, allowed certbot to run fine and remove the domain from the certificate

schoen · April 27, 2017, 5:13pm

Thanks for the correction, that’s quite right! I’m glad it worked for you.

edwinm · July 29, 2017, 6:57am

The easiest solution, that worked well for me is this command:

sudo certbot renew --allow-subset-of-names

I think the --allow-subset-of-names flag is new. People looking for a solution and finding this thread may find this useful.

jared.m · July 29, 2017, 7:11pm

However, people just reading this last post should read back over the thread to learn about caveats using this flag as a rule. Specifically how intermittent failures of a single SAN authorization during renewal will cause that name to be dropped from the certificate silently, when this may not have been the desired or expected outcome.

ppKrauss · August 12, 2017, 10:06am

… And about “purge” a cert-name, preserving other?

The command certbot certificates at my server show something as:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Found the following certs:
  Certificate Name: MyDomain1
    Domains: ...
    Expiry Date: 2017-10-24 10:22:00+00:00 (VALID: 73 days)
    Certificate Path: /etc/letsencrypt/live/MyDomain1/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/MyDomain1/privkey.pem
  Certificate Name: MyDomain2
    Domains: ....
    Expiry Date: 2017-11-10 02:22:00+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/MyDomain2/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/MyDomain2/privkey.pem

The first, MyDomain1 is rubbish! (use a subset of MyDomain2 domains and removed-from-server domains), nobody using it… And not make sense a cert-name about domain that not exist.

The second is in production, I am using it (!).

How to delete only MyDomain1?

PS: Hi @schoen, some direct and reliable command? some clues for a reliable procedure?

mnordhoff · August 12, 2017, 10:35am

@ppKrauss

I’m uncertain what you want to do, but you can delete a certificate lineage and all of its files with “certbot delete --cert-name MyDomain1”.

If you want to keep the lineage, but add or remove names, how to do that should be explained earlier in this thread.

schoen · August 12, 2017, 5:26pm

@mnordhoff’s suggestion is the standard way to do this from my point of view.

jgrocha · April 15, 2018, 10:43am

Using certbot 0.19.0 the certificate name is the name reported by certbot certificates without any additional .org. If you add .org it will create a new certificate and does not update the previous one.

richardfoley · January 18, 2019, 10:22am

Thanks to @pfg for this answer. Several years later this thread helped enormously to clean up the domain-0001, domain-0002 cruft which had been gathering dust locally.

yragnos · September 6, 2020, 6:27pm

This is the only solution that worked correctly. And is the most logical one.