Removing invalid domains

Debian 9
Certbot 0.28.0

When I set up certbot/letsencrypt, I was hosting two domains that are no longer in use. The registration for two of the aliases of the domain, and have expired and there is no DNS entry for them. This appears to cause the automatic renewal to fail. The primary CN for the certificate,, is no longer enabled, Apache redirects to the default site, (This in turn redirects to

The errors I get when I attempt to renew are all complaints about the lack of a DNS entry for and an invalid response from (because the site is disabled)…

What’s the best way to recover from this? I’m already hitting rate limiting for some of these hosts. The certificate expires on August 7.

1 Like

You can re-define the names that are included on a certificate.

First, check what certificate you already have:

sudo certbot certificates

Then using the listed certificate name (replace THE_CERT_NAME), you can change the certificate to only include the domains you want:

sudo certbot certonly --apache --dry-run --cert-name THE_CERT_NAME \
-d -d -d \
-d -d -d \
-d -d -d \
-d -d \
-d -d \
-d -d -d

Remove any you don’t need anymore, and give it a shot. Once it’s working, remove certonly and --dry-run and do it for real.

1 Like

“–dry-run currently only works with the ‘certonly’ or ‘renew’
subcommands (‘run’)”

I’ve tried -d , it fails on DNS. If I put an entry in my hosts
file, it fails when it attempts to validate the site. I’m reluctant to
test random guessed commands because I’ve hit rate limiting, which
blocks me for seven days eight days before the cert expires.

1 Like

The rate limiting from failed validations is 5 attempts per hour. It does not lock you out for a week.

If you use --dry-run, the limit increases to 60 attempts per hour.

Sorry, I updated the command now.

1 Like

I don’t know about best, but the easy way looks like this:

      When performing domain validation, do not consider it
      a failure if authorizations can not be obtained for a
      strict subset of the requested domains. This may be
      useful for allowing renewals for multiple domains to
      succeed even if some domains no longer point at this
      system. This option cannot be used with --csr.
      (default: False)

(there can be several reasons why “authorizations can not be obtained” other than your issue, though)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.