Let's encrypt: Remove only one hostname from certificate

chevallier asked:

I have the following certificate:

# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Found the following certs:
 Certificate Name: domain.tld
  Domains: domain.tld imap.domain.tld mail.domain.tld pop.domain.tld smtp.domain.tld www.domain.tld
  Expiry Date: 2019-09-09 03:34:20+00:00 (VALID: 62 days)
  Certificate Path: /etc/letsencrypt/live/domain.tld/fullchain.pem
  Private Key Path: /etc/letsencrypt/live/domain.tld/privkey.pem

Now what I want to do is to remove domain.tld and www.domain.tld from the certificate, because the web server has moved to another instance. The fact, that the DNS entries have been changed means, that the renewal process will fail if domain.tld and www.domain.tld are still part of the certificate, because the DNS entries point to another IP now.

How can I remove certain host names from a let’s encrypt certificate without deleting the certificate and creating a new one?

My answer:


I don’t usually bother reissuing certificates in this case. I just edit the configuration file in /etc/letsencrypt/renewal/example.com.conf and remove the domain from there. At the next renewal, the new certificate will no longer contain the removed domain.

But in your case, as the name you want to remove was the original one for the certificate, I would suggest you not renew this cert at all, but remove the renewal configuration file for the old cert then issue a new cert with only the names you want to keep.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.