Is it possible to renew a Let's Encrypt certificate and drop one or more domains at the same time? Yes it is.

Some Background

Here’s the scenario. I have abc.com, xyz.com and foobar.com all on a single Let’s Encrypt certificate. It comes to renewal time and actually foobar.com for whatever reason isn’t available or just shouldn’t be included on the certificate anymore. Now, when I’ve hit this before I just make a new cert and update any configuration file to point to the new directory under /etc/letsencrypt/live.

This in itself is fine, except in a recent scenario the service making use of this cert was mission critical and watches the directory to trigger a special no-down-time reload. It isn’t designed to have the certificate directory changed. I could just do the new cert anyway then clobber the old files with new, but it got me searching to see if there was a built-in way to do this with certbot, and there is!

A Simple Solution

Easier than having to manually move files around, we can solve our scenario in two steps:

# 1. Get the name of the certificate to renew (probably the first domain)
certbot certificates

# 2. Request a cert in the usual way specifying this name and
#    listing the domains you want to keep.
#    `-d` is for domain remember, not for delete!
certbot certonly --cert-name abc.com -d abc.com,xyz.com

That’s it. A neater way to generate an updated Let’s Encrypt certificate when you only want to keep a subset of the domains.