What file is the list of domains for my cert stored in

I need the ability to change the domain aliases that will be renewed on the fly (I don’t need to actually renew them, just change what ones will be renewed next time renewal runs.)

I have to be able to do this via file accesses, this interface will not have permissions to run commands.

So when I run letsencrypt-auto renew, what file does it look up to see the aliases for my domain for renewal?

I thought it was /etc/letsencrypt/renewal/DOMAIN.conf but that isn’t correct. If i remove entries from here it still tries to renew them, only it asks for the webroot since the webroot entry is gone.

Linux debian OS

Certbot uses the list of subject names in the most recent certificate as the list of subject names for a renewal:

Normally if you want to change this list you should force a renewal with a new list of subject names, like

certbot --cert-name example.com -d one.example.com -d two.example.com -d three.example.com -d example.com -d www.example.com --force-renewal

If this succeeds, then you have an new certificate that covers exactly those names rather than whatever names were covered before.

I believe that this is currently the only way to do it because I believe the domains setting is explicitly ignored in the configuration file, due to a common mistake where people were putting this setting in their cli.ini files.

Eh, It’s open source, I’ll just have to look at changing that locally and disabling updates. Or maybe making my own client. certbot is a little excessive in the feature list for my uses.

You’re an engineer, it might be offtopic for this section, but would you happen to know what source file pulls that info? I might just replace it with a file read

[quote="MrStonedOne, post:3, topic:37306"]
Or maybe making my own client. certbot is a little excessive in the feature list for my uses.[/quote]

Certbot is a heavyweight client and has sometimes been criticized for that. It's got lots of code to deal with automated renewals and server integration (like parsing and editing web server configurations).

If you're looking for something lighter-weight, you might want to look over

Some of the bash clients are quite small and have few or no dependencies.

For certbot renew, which considers all existing certificates for potential renewal, it's effectively


where renewal_candidate.names() is calling into


which in turn reads the PEM file on disk.

There is a possibly less interesting case at


which should be used if you perform an individual-certificate-oriented action like certbot certonly with a --cert-name or list of domains that are judged to refer to an existing certificate and with options or circumstances that are judged to request a renewal of that existing individual certificate. (The circumstances when this happens are somewhat complicated to explain, although I've explained them before in some detail in other forum threads, related to the options --keep-until-expiring, --duplicate, --force-renewal, and the expiration time of the existing certificate.)

Edit: I think I have a more detailed explanation somewhere else, but I found a basic summary that I wrote about the meanings of the individual-certificate-oriented command line options that affect Certbot's behavior:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.