When I do a letsencrypt-auto renew, where does this command takes the information from, what subdomains should be renewed?
If there was a subdomain chat.domain.de which does not exist anymore, renewal fails because DNS-lookup fails.
and letsencrypt-auto certificates says the name is a.example.com, and you want to replace it with a new certificate that doesn’t include b.example.com, you would have to run:
Just for the records, there is also an option --allow-subset-of-names that you could use to renew a cert but excluding domains that don’t validate anymore.
--allow-subset-of-names
When performing domain validation, do not consider it a failure if authorizations can not be obtained for a
strict subset of the requested domains. This may be useful for allowing renewals for multiple domains to
succeed even if some domains no longer point at this system. This option cannot be used with --csr.
Said that, my advise is to not use it Use the example @mnordhoff posted above because you will have control about what is going on and using --allow-subset-of-names could have unexpected results.