Remove R-LDH domain name from existing certificate

Dear All,

I just got an email saying I will not be able to renew my certificate any longer as it contains a reserved domain name (a DNS name containing the characters ‘–’ ).

I am not using that domain anymore but the certificate contains my production domain name.

What is the procedure to remove the offending domain name and be able to renew the certificate?

My site is live and it has been for a while.

Thanks

Hi @mirko77,

Thanks for reaching out.

Can you provide more information about what ACME client you're using? Is it Certbot?

Thanks!

Hi,

yes, it is Certbot. The server is Apache2 on a Ubuntu 16.04 machine

@mirko77 - thanks!

@schoen Do you know the correct way to remove a domain from an existing certificate with Certbot/Apache? Is --allow-subset-of-names the relevant flag?

I wouldn’t really recommend --allow-subset-of-names for this purpose because it might remove other names as well if there’s any reason that the CA happens not to be willing to issue for them at the moment of the renewal, including a simple misconfiguration on the client side.

I would suggest finding the cert name with certbot certificates (it’s likely to be the same as one of your domain names that the certificate covers) and then running certbot certonly --force-renewal --cert-name example.org plus a -d option for each domain name that you still want to be included in the certificate.

You will also have to specify an authentication method, which should be the same one that you originally used when obtaining the certificate.

1 Like

Ok,
so certbot certificate gives

Found the following certs:
  Certificate Name: five.epicollect.net
    Domains: five.epicollect.net fi--ec5dev3.dide.ic.ac.uk
    Expiry Date: 2017-11-11 22:01:00+00:00 (VALID: 73 days)
    Certificate Path: /etc/letsencrypt/live/five.epicollect.net/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/five.epicollect.net/privkey.pem

I just need the five.epicollect.net domain

I am not sure about the authentication method. The certificate was installed by using:

certbot certonly --webroot -w /var/www/html_prod/current/public/ -d five.epicollect.net -d fi--ec5dev3.dide.ic.ac.uk

Is --webroot the authentication method?

Thanks

Yep, so you can run

certbot certonly --force-renewal --cert-name five.epicollect.net --webroot -w /var/www/html_prod/current/public/ -d five.epicollect.net

This says that you want to update the certificate named five.epicollect.net by replacing it with one obtained in this way and covering only the domain name five.epicollect.net.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.