Remove unused domain from a cert(contains 40+ domains)

I have a cert that installed months ago, inside contains over 40 domains. The cert has expired and when i try to renew the cert with
sudo certbot renew --dry-run

I received error
1 renew failure(s), 0 parse failure(s)

It shows the expired domain(expired_domain.com) that I no longer using…

Under live folder, i have 1 cert (1st_cert.com)
/etc/letsencrypt/live

I have tried this commmand but it’s not working

certbot delete --cert-name expired_domain.com 

I received this error

No certificate found with name expired_domain.com (expected /etc/letsencrypt/renewal/expired_domain.com.conf).

My question is how to remove it from this cert so that i can renew my cert with the correct command? Thank you

1 Like

The way to do this is a bit cumbersome: You have to run a command similar to the one you used to create the certificate.

For example, if you used:

sudo certbot --apache -d example.com -d www.example.com -d example.net -d www.example.net

And you want to remove both example.net names, you would have to use something like:

sudo certbot --apache --cert-name example.com -d example.com -d www.example.com

In other words, you have to run almost the same command you used originally, with the complete list of 39+ names you want in the new certificate, and the --cert-name option added.

The --cert-name argument is the certificate name used by Certbot. It’s used as the name of the /etc/letsencrypt/live/ subdirectory and can also displayed by sudo certbot certificates. In your case, it seems to be 1st_cert.com.

If you need help, please post the actual, unedited output of sudo certbot certificates.

2 Likes

thx for your info. Other than this traditional method, is there a easier method?

1 Like

There is an easier but riskier method: you can renew with --allow-subset-of-names.

This will remove all names for which renewal attempts fail. However, it will remove names regardless of whether the renewal attempt failed for an expected or an unexpected reason.

2 Likes

hello schoen, thx for your reply. Assume it removed a domain that i want to remain, can i add it back manually ? Pleaes advice

1 Like

If you use --allow-subset-of-names, Certbot will issue and save a certificate, unless every name fails.

You could then issue another new certificate adding more names the same way you always do – running a Certbot command and selecting every name you want it to include.

1 Like