When decomissioning sites on a server hosting multiple domains and Let’s Encrypt for SSL certificate renewals, it’s necissary to remove the domains from both the virtual hosts file(s) and Let’s Encrypts configuration using certbot. If the domain is not removed from certbot, the remaining domains hosted on the server can encounter SSL certificate errors on renewal.
If old domains are present during the renewal request, it’s likely an error will appear in /var/log/letsencrypt/letsencrypt.log
:
ERROR:certbot._internal.log:1 renew failure(s), 0 parse failure(s)
This summary line may also appear:
The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.
To ensure that only the domains that still require SSL certificates are part of the certbot renewal request, the following steps need be followed:
- List Installed Certificates:
Run the following command to list all installed certificates and their associated domains:
certbot certificates
You should be able to see the Certificate Name
as well as the Domains
included in the output.
- Update Certificate Renewal Configuration:
Use the following command to update the renewal configuration, specifying only the domains that should be included in the renewal:
certbot certonly --cert-name example_cert_name -d example.com -d example.org
Replace example_cert_name with the name of the certificate to be updated. Include only the domains that should be renewed (e.g., example.com and example.org).
Let’s Encrypt should now have renewed the certificate for just the domains specified, removing any domains not listed from the renewal request. It is possible to test this by running the certbot certificates
command again and checking the output.