Remove R-LDH domain name from existing certificate

Dear All,

I just got an email saying I will not be able to renew my certificate any longer as it contains a reserved domain name (a DNS name containing the characters ‘–’ ).

I am not using that domain anymore but the certificate contains my production domain name.

What is the procedure to remove the offending domain name and be able to renew the certificate?

My site is live and it has been for a while.


Hi @mirko77,

Thanks for reaching out.

Can you provide more information about what ACME client you’re using? Is it Certbot?



yes, it is Certbot. The server is Apache2 on a Ubuntu 16.04 machine

@mirko77 - thanks!

@schoen Do you know the correct way to remove a domain from an existing certificate with Certbot/Apache? Is --allow-subset-of-names the relevant flag?

I wouldn’t really recommend --allow-subset-of-names for this purpose because it might remove other names as well if there’s any reason that the CA happens not to be willing to issue for them at the moment of the renewal, including a simple misconfiguration on the client side.

I would suggest finding the cert name with certbot certificates (it’s likely to be the same as one of your domain names that the certificate covers) and then running certbot certonly --force-renewal --cert-name plus a -d option for each domain name that you still want to be included in the certificate.

You will also have to specify an authentication method, which should be the same one that you originally used when obtaining the certificate.

1 Like

so certbot certificate gives

Found the following certs:
  Certificate Name:
    Expiry Date: 2017-11-11 22:01:00+00:00 (VALID: 73 days)
    Certificate Path: /etc/letsencrypt/live/
    Private Key Path: /etc/letsencrypt/live/

I just need the domain

I am not sure about the authentication method. The certificate was installed by using:

certbot certonly --webroot -w /var/www/html_prod/current/public/ -d -d

Is --webroot the authentication method?


Yep, so you can run

certbot certonly --force-renewal --cert-name --webroot -w /var/www/html_prod/current/public/ -d

This says that you want to update the certificate named by replacing it with one obtained in this way and covering only the domain name

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.