I have a single certificate for multiple domains generated with the usual -d first.domain -d second.domain -d third.domain etc...
Soon I will need to renew the certificate for all domains, except one, which by then will be canceled.
I tried to run the following command:
certbot certonly --csr ./renew-my.csr --manual --preferred-challenges dns -d first.domain -d second.domain --dry-run
Only, I noticed it asks me to renew also the third.domain, which I would like to avoid.
The use of --csr makes the behaviour of certbot quite different in a lot of ways. I can only assume the used hostnames are taken from the CSR and it ignores the -d switches.
Why do you use --csr anyway? Did you use it initially too? And what was the reason for it? There isn't much use for it to be frank.
I tipically worked this way before starting to work with certbot.
The usual scenario was a MS windows Server with IIS, which needed to renew a certificate. I would export the CSR from IIS and send it to a vendor, who in return would provide the renewed certificate.
Because I cannot install any package on the MS windows server, I am using certbot on a linux box and exporting the certificate to the MS Windows Server.
Providing the CSR should serve to make sure the certificate would work only with that specific server, am I right?
Ah, Windows Server with IIS, totally not in my ball park to be honest. No experience what so ever.
Therefore, I don't know if the use of a CSR is actually mandatory in this specific situation. It might be possible to install a certificate with the private key too, without using a CSR. However, as your specific situation mandates a manual process anyway, using a CSR is also an option.
If the CSR was generated on that specific server and the corresponding private key is also only on that specific server, then yes. A CSR is technically only coupled to the private key it was generated with.
--allow-subset-of-names
When performing domain validation, do not consider it
a failure if authorizations can not be obtained for a
strict subset of the requested domains. This may be
useful for allowing renewals for multiple domains to
succeed even if some domains no longer point at this
system. This option cannot be used with --csr.
(default: False)
(…)
--cert-path CERT_PATH
Path to where certificate is saved (with auth --csr),
installed from, or revoked. (default: None)
(…)
--csr CSR
Path to a Certificate Signing Request (CSR) in DER or
PEM format. Currently --csr only works with the
'certonly' subcommand. (default: None)
There's no mention what other options are used or ignored unfortunately. My assumption is that certbot just takes the hostnames from the CSR, probably including your third domain and ignores the -d options.