Single cert multi domain ( renewal partial list )

I am about to setup certbot and it has single certificate multiple domain option also posted on one of the questions before

For example : certbot-auto -d domain1.com -d domain2.com -d domain3.com -d domain4.org

Now this example above creates one cert for 4 entirely different domains but the confusion I have is when I renew the and at that time if I want to remove a domain ( domain3.com ) which dont want to continue to create cert what will happen to renewal process ? Will it fail because on domain has been removed from the list while removal although it was there when first created ?

Would appreciate a response on this thank you in advance .

Regars
Maxim

Hi @Maxim welcome to the community!

The correct answer comes with knowing more about the specifics of your environment.
Would you share some of your configuration information with the community so we can provide you with good info?

If multiple domains are covered by one certificate and for some reason one domain is no longer relevant, that domain can be safely removed from a certificate USING THE PROPER TOOLS AND PROCEDURES.

If a “removal or deletion” is not executed correctly, you WILL hose your system, guaranteed.

That said, you can always use one cert per domain and expand the cert(s) to cover additional domains as you become more familiar with the processes and how they work. OR… just issue a new certificate with the relevant names on it.

Here’s a thread with a similar objective.
food for thought
Rip

Hi @Maxim,

Yes, it will fail the renewal in this case. Since the renewal attempts start happening 30 days before expiry, that shouldn't be a big problem if you pay attention to it.

The suggested way to remove the domain is re-running Certbot and specifying the name of the certificate and all of the names that you do want to be included:

certbot-auto --cert-name domain1.com -d domain1.com -d domain2.com -d domain4.org

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.