What do I need to do to remove domains from my SSL cert?

I had a bunch of domains, and I sold a couple to someone else. Now I am getting an error when I try to renew my certificate. What do I need to do to tell LE that I don't want to renew those specific domains? Is there an explicit instruction to say "I'm not using this any more," or can I just say "quit trying to renew these 2, but renew the others?" Thanks!

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: camerontech.com plus numerous others

I ran this command: certbot -v renew

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/camerontech.com.conf


Certificate is due for renewal, auto-renewing...
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate for camerontech.com and 26 more domains
Performing the following challenges:
http-01 challenge for openshift.guru
http-01 challenge for openshift.ninja
Waiting for verification...
Challenge failed for domain openshift.guru
Challenge failed for domain openshift.ninja
http-01 challenge for openshift.guru
http-01 challenge for openshift.ninja

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: openshift.guru
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for openshift.guru - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for openshift.guru - check that a DNS record exists for this domain

Domain: openshift.ninja
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for openshift.ninja - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for openshift.ninja - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Cleaning up challenges
Failed to renew certificate camerontech.com with error: Some challenges have failed.


All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/camerontech.com/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): httpd-2.4.37-47.module+el8.6.0+14529+083145da.1.x86_64

The operating system my web server runs on is (include version): Red Hat Enterprise Linux 8.6

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.27.0

1 Like

Certbot does not have a convenient way of adding or removing hostnames from existing certificates. Usually, the only option is to use the command as if you were issuing the certificate, but then with or without the hostname(s) you'd like to add or remove. I agree this is very cumbersome, but the Certbot team doesn't have the resources (as in, the team is too small) to change it unfortunately.

In your specific case, you could use the --allow-subset-of-names option with the certbot renew subcommand. From the documentation:

--allow-subset-of-names
When performing domain validation, do not consider it
a failure if authorizations can not be obtained for a
strict subset of the requested domains. This may be
useful for allowing renewals for multiple domains to
succeed even if some domains no longer point at this
system. This option cannot be used with --csr.
(default: False)

You should only use this command if you're absolutely certain the hostnames you want to keep won't fail and only the hostnames you want to have removed fail.

4 Likes

Thanks so much for your response! I re-ran the certbot -d command without the two domains I no longer own, and it seemed to run just fine. (certbot -d camerontech.com,3-16.com,3-16.net,3-16.org,acmewidgetcorporation.com,acmewidgetcorporation.net,acmewidgetcorporation.org,camerons.us,camerontech.net,camerontech.org,churchoflinux.com,digitaltransformation.blog,itforgood.com,linux-magic.com,linux-magic.net,linux-magic.org,linux-ninja.com,linuxninja.us,tdcameron.com,techchick.com,techchick.net,techchick.org,thomascameron.us,three-sixteen.com,mail-east.camerontech.com --apache)

But then, when I run the weekly check-in script which runs "certbot renew," I get the error message again:

[root@mail-east cron.weekly]# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/camerontech.com-0001.conf


Certificate not yet due for renewal


Processing /etc/letsencrypt/renewal/camerontech.com.conf


Renewing an existing certificate for camerontech.com and 26 more domains

Certbot failed to authenticate some domains (authenticator: apache). The Certificate Authority reported these problems:
Domain: openshift.guru
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for openshift.guru - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for openshift.guru - check that a DNS record exists for this domain

Domain: openshift.ninja
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for openshift.ninja - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for openshift.ninja - check that a DNS record exists for this domain

Hint: The Certificate Authority failed to verify the temporary Apache configuration changes made by Certbot. Ensure that the listed domains point to this Apache server and that it is accessible from the internet.

Failed to renew certificate camerontech.com with error: Some challenges have failed.


The following certificates are not due for renewal yet:
/etc/letsencrypt/live/camerontech.com-0001/fullchain.pem expires on 2022-08-09 (skipped)
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/camerontech.com/fullchain.pem (failure)


1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

So should I change it to "certbot --allow-subset-of-names renew" instead?

2 Likes

@thomascameron The new certbot command created a second cert under the same main name but appending -0001. Specifically: camerontech.com-0001

The renew that is failing is your earlier cert.

It looks like your Apache server is using the cert from the new -0001 folder so you can safely delete the old unneeded cert with this delete command. You can confirm Apache is sending the latest cert with a site like this one.

certbot delete --cert-name camerontech.com

You can visualize what happened by looking at certbot's cert list:

certbot certificates
5 Likes

You are a champ, thank you so much! All is working fine, now. Thank you!

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.