3

My (currently working) Let's encrypt certificate contains a bunch of Subject Alternative Names. One of these has to be deleted in order to renew the certificate because the domain is no longer available and thus cannot be verified again.

I removed the ServerAlias from my Apache configuration and tried certbot --verbose --non-interactive delete --cert-name <Domain> which was successful, but certbot --renew fails with No valid IP addresses found for <Domain>.

Interactively using certbot delete offers to delete the complete certificate only which is not what I want because all the other domains are still active.

So how can I delete just one of the Subject Alternative Names from the Let's Encrypt configuration and then get a new certificate with a reduced Subject Alternative Names list ?
Do I need a new Let's Encrypt account because this is impossible to do with an existing account ?

Juergen
  • 497
  • 4
  • 21
  • Using certbot, I'm curious to know how to disable alternative names altogether. What does one domain on a system have to do with another unless explicitly identified as such? – Altimus Prime Oct 19 '21 at 12:38
  • 1
    @AltimusPrime, Let's encrypt generates only one certificate for all the domains hosted on one web server, likely because this is more efficient. That's why there are Subject Alternative Names (= other domains) in the certificate. You need different certbot instances if you don't want this, but I did not try that and thus cannot explain how to do. – Juergen May 13 '22 at 16:20
  • @Juegen The way to do what I was talking about back then was simply to run certbot separately for each domain instead of running them all at the same time, which I suspect might be what you mean when you say different 'instances'. – Altimus Prime May 14 '22 at 15:43
  • Yes, that's what I meant. – Juergen May 15 '22 at 18:00

1 Answers1

2

Found the answer from the opposite question How to add a domain to existing certificate generated by Let’s Encrypt/Certbot ?: While it seems impossible to explicitly state that some domain has to be removed from the Subject Alternative Names list, it is possible to remove the domains whose re-verification is failing:

After deleting the ServerAlias from Apache configuration (this makes re-verification impossible) call

certbot renew --force-renewal --allow-subset-of-names --cert-name
which outputs 
Renewing an existing certificate
Performing the following challenges:
... (domain to be removed still included)
Challenge failed for domain <domain>
Cleaning up challenges
Performing the following challenges:
... (domain removed)
new certificate deployed with reload of apache server ...

Citation from man certbot for --allow-subset-of-names:

When performing domain validation, do not consider it a failure if authorizations can not be obtained for a strict subset of the requested domains. This may be useful for allowing renewals for multiple domains to succeed even if some domains no longer point at this system.

Juergen
  • 497
  • 4
  • 21