Where does Certbot store it's list of domains to renew?


#1

Hi all,

I’ve run ‘certbot delete’ for a domain that’s been moved to a different server, but when I ran a “renew” with the --dry-run flag, I’m still seeing a reference to that domain in the output.

Syntax error on line 25 of /etc/httpd/conf.d/moved_NOW_ON_PROD.domain.tld.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/www.moved.domain.tld/cert.pem' does not exist or is empty

_(I renamed the etc/httpd/conf.d/hostname.domain.tld.conf file to include 'NOW_ON_PROD’ as part of the filename so that we wouldn’t try making changes, & then wonder why those changes weren’t taking effect.)

I’m guessing that perhaps there’s a config file somewhere that is storing the list of domains - and that maybe it’s possible to edit that file & delete the reference to the obsolete domain??

Thank you.


#2

And while we’re on the subject, this may be related - In the same output, I also see a 2nd (test) domain name for which we have no need for an SSL certificate. I’d like to remove the reference to that domain name as well.

Thanks guys.


#3

certbot delete deletes the certificate, and removes the associated renewal configuration file so that it won’t try to renew it again. But it does not remove the references to it from your webserver configuration! So what’s most likely happening is your Apache configuration is still including the file that you renamed - because it’s including either all files in /etc/httpd/conf.d, or all files ending in .conf - and that file still refers to the old certificate which now does not exist.

So this has nothing to do with the list of certificates or domains that certbot is trying to renew - rather, when it renews any certificate, it will try to reload your apache configuration (assuming you’re using the apache plugin), and if there’s an error in your apache configuration, such as referring to a certificate that doesn’t exist, that step will fail - even if the missing certificate is a different one to the one you’re trying to renew.

You might try renaming the file to example.com.conf.NOW_ON_PROD or just moving it out of that directory entirely.


#4

And to answer your actual question (even though I think it’s probably not relevant to the problem you’re experiencing) - the list of certificates that Certbot will try to renew is taken from the files in /etc/letsencrypt/renewal (each file corresponds to one certificate). You can delete files from there if you want to stop a certificate from renewing, without deleting the certificate itself.


#5

The list of certificates to renew is taken from /etc/letsencrypt/renewal but the domains to renew in each certificate is taken from that certificate’s PEM file.


#6

@jmorahan, @schoen, Thank you guys - not only do I know how to resolve the issue now, I have a bit better understanding of how the app works! Much appreciated!


closed #7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.