9

I have the following certificate:

# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Found the following certs:
 Certificate Name: domain.example
  Domains: domain.example imap.domain.example mail.domain.example pop.domain.example smtp.domain.example www.domain.example
  Expiry Date: 2019-09-09 03:34:20+00:00 (VALID: 62 days)
  Certificate Path: /etc/letsencrypt/live/domain.example/fullchain.pem
  Private Key Path: /etc/letsencrypt/live/domain.example/privkey.pem

Now what I want to do is to remove domain.example and www.domain.example from the certificate, because the web server has moved to another instance. The fact, that the DNS entries have been changed means, that the renewal process will fail if domain.example and www.domain.example are still part of the certificate, because the DNS entries point to another IP now.

How can I remove certain host names from a let's encrypt certificate without deleting the certificate and creating a new one?

Patrick Mevzek
  • 9,921
  • 7
  • 32
  • 43
manifestor
  • 6,079
  • 7
  • 27
  • 39

3 Answers3

10

You should use --cert-name together with the list of hostnames you want to keep. So:

certbot certonly --cert-name example.com -d imap.domain.example,mail.domain.example,pop.domain.example,smtp.domain.example

See https://certbot.eff.org/docs/using.html#changing-a-certificate-s-domains

Kurt Roeckx
  • 101
  • 1
  • 2
3

I don't usually bother reissuing certificates in this case. I just edit the configuration file in /etc/letsencrypt/renewal/example.com.conf and remove the domain from there. At the next renewal, the new certificate will no longer contain the removed domain.

But in your case, as the name you want to remove was the original one for the certificate, I would suggest you not renew this cert at all, but remove the renewal configuration file for the old cert then issue a new cert with only the names you want to keep.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • 2
    The hostnames does not seem to be in that file as of 0.40.0? – Gert van den Berg Jul 31 '20 at 06:35
  • @GertvandenBerg 0.40.0 of what? The current release of certbot is 1.6.0, which is what I'm using. – Michael Hampton Jul 31 '20 at 14:49
  • Hmmm... 0.40.0 is the version bundled with Ubuntu 20.04. (It seems like it is from late 2019). I don't see any relevant changes in the changelog to put the domains in the renewal config though... (And with the answer dating from ~v0.35's time, I assume it haven't been removed and added back?) – Gert van den Berg Aug 01 '20 at 15:18
  • @GertvandenBerg That's very odd. certbot is one of the few packages that must be kept up to date even on an LTS type of system. It's also Ubuntu, so who knows what breakage they've introduced? – Michael Hampton Aug 01 '20 at 15:20
1

How can I remove certain host names from a let's encrypt certificate without deleting the certificate and creating a new one?

You can not.

A certificate is basically a public key, some metadata (such as dates and list of hostnames) and a signature over all the above (the signature being computed by the CA delivering this certificate).

Which means basically that once issued, you can change nothing in it, otherwise the signature will not match anymore and it will be rejected as invalid.

You need to generate a new certificate from scratch. You do not need to delete the current one, you can continue to use it or not, no harm done if some names in it do not exist anymore or do not resolve. But you can generate new ones with the proper set of names you need.

This also shows the peril of doing certificates for multiple names: it may provide an incentive as it lowers the number of certificates to handle, but, it associates the fate of all names one to the other. When everything is automated, as it should be when dealing with Let's Encrypt, it should not be a problem to have one certificate per name. Of course the situation is different if you have to manage millions of names.

Patrick Mevzek
  • 9,921
  • 7
  • 32
  • 43