Is it possible to renew a Let's Encrypt certificate and drop one or more domains at the same time? Yes it is.
Here’s the scenario. I have
foobar.com all on a single Let’s Encrypt certificate. It comes to renewal time and actually
foobar.com for whatever reason isn’t available or just shouldn’t be included on the certificate anymore. Now, when I’ve hit this before I just make a new cert and update any configuration file to point to the new directory under
This in itself is fine, except in a recent scenario the service making use of this cert was mission critical and watches the directory to trigger a special no-down-time reload. It isn’t designed to have the certificate directory changed. I could just do the new cert anyway then clobber the old files with new, but it got me searching to see if there was a built-in way to do this with
certbot, and there is!
A Simple Solution
Easier than having to manually move files around, we can solve our scenario in two steps:
# 1. Get the name of the certificate to renew (probably the first domain) certbot certificates # 2. Request a cert in the usual way specifying this name and # listing the domains you want to keep. # `-d` is for domain remember, not for delete! certbot certonly --cert-name abc.com -d abc.com,xyz.com
That’s it. A neater way to generate an updated Let’s Encrypt certificate when you only want to keep a subset of the domains.