I just got an email saying I will not be able to renew my certificate any longer as it contains a reserved domain name (a DNS name containing the characters ‘–’ ).
I am not using that domain anymore but the certificate contains my production domain name.
What is the procedure to remove the offending domain name and be able to renew the certificate?
My site is live and it has been for a while.
Thanks for reaching out.
Can you provide more information about what ACME client you’re using? Is it Certbot?
yes, it is Certbot. The server is Apache2 on a Ubuntu 16.04 machine
@mirko77 - thanks!
@schoen Do you know the correct way to remove a domain from an existing certificate with Certbot/Apache? Is
--allow-subset-of-names the relevant flag?
I wouldn’t really recommend
--allow-subset-of-names for this purpose because it might remove other names as well if there’s any reason that the CA happens not to be willing to issue for them at the moment of the renewal, including a simple misconfiguration on the client side.
I would suggest finding the cert name with
certbot certificates (it’s likely to be the same as one of your domain names that the certificate covers) and then running
certbot certonly --force-renewal --cert-name example.org plus a
-d option for each domain name that you still want to be included in the certificate.
You will also have to specify an authentication method, which should be the same one that you originally used when obtaining the certificate.
certbot certificate gives
Found the following certs:
Certificate Name: five.epicollect.net
Domains: five.epicollect.net fi--ec5dev3.dide.ic.ac.uk
Expiry Date: 2017-11-11 22:01:00+00:00 (VALID: 73 days)
Certificate Path: /etc/letsencrypt/live/five.epicollect.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/five.epicollect.net/privkey.pem
I just need the
I am not sure about the authentication method. The certificate was installed by using:
certbot certonly --webroot -w /var/www/html_prod/current/public/ -d five.epicollect.net -d fi--ec5dev3.dide.ic.ac.uk
--webroot the authentication method?
Yep, so you can run
certbot certonly --force-renewal --cert-name five.epicollect.net --webroot -w /var/www/html_prod/current/public/ -d five.epicollect.net
This says that you want to update the certificate named
five.epicollect.net by replacing it with one obtained in this way and covering only the domain name
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.