How to remove a (alternative) domain from a Lets Encrypt (SAN) certificate using certbot

Written by - 0 comments

Published on - Listed in Security TLS Internet


Let's Encrypt certificates allow the creation of SAN (Subject Alternative Names) certificates, which contain multiple domain names or sub domains:

root@linux ~ # certbot -n certonly --expand --webroot -w /var/www/letsencrypt -d www.example.com -d example.com -d beta.example.com -d my.example.com

The certificate can then be listed using certbot certificates:

root@linux ~ # certbot certificates
[...]
Found the following certs:
  Certificate Name: www.example.com
    Domains: www.example.com beta.example.com my.example.com example.com

    Expiry Date: 2022-01-21 16:00:45+00:00 (VALID: 4 days)
    Certificate Path: /etc/letsencrypt/live/www.example.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.example.com/privkey.pem
[...]

Note: the certificate name (identifier) is usually the first domain in the list.

The automatic renewal process (certbot renew) is applied for all domains in that certificate. But if one of the domains in the list fails, the renewal doesn't work:

2022-01-17 07:21:30,723:WARNING:certbot.renewal:Attempting to renew cert (www.example.com) from /etc/letsencrypt/renewal/www.example.com.conf produced an unexpected error: Failed authorization procedure. beta.example.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://beta.example.com/.well-known/acme-challenge/U4ixi_WUxNDKSDdYxhwvsAe-gt92PFhy493SCmJFGHg [xxx.xxx.xxx.xxx]: "\n\n\n<!DOCTYPE html>\n<html>\n    <head>\n    <meta http-equiv=\"Content-type\" content=\"text/html; charset=utf-8\">\n    <meta http-equi". Skipping.

In this particular situation, the beta.example.com sub domain had a DNS change and now points to a different IP. Therefore the Let's Encrypt ACME bot was unable to verify the domain - leading to a renewal error for the whole certificate.

To remove a (sub-) domain from the certificate, use the --cert-name parameter with the certificate name identifier and simply only list the other (remaining) domains:

root@linux ~ # certbot -n certonly --cert-name www.example.com --expand --webroot -w /var/www/letsencrypt -d www.example.com -d my.example.com -d example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.example.com/privkey.pem
   Your cert will expire on 2022-04-17. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

As the beta sub domain was not listed with the -d parameter, this tells certbot to remove the beta sub domain from the certificate. This can be verified using certbot certificates again:

root@linux ~ # certbot certificates --cert-name www.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following matching certs:
  Certificate Name: www.example.com
    Domains: www.example.com my.example.com example.com
    Expiry Date: 2022-04-17 09:33:10+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/www.example.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.example.com/privkey.pem






Add a comment

Show form to leave a comment

Comments (newest first)

No comments yet.

RSS feed

Blog Tags:

  AWS   Android   Ansible   Apache   Apple   Atlassian   BSD   Backup   Bash   Bluecoat   CMS   Chef   Cloud   Coding   Consul   Containers   CouchDB   DB   DNS   Database   Databases   Docker   ELK   Elasticsearch   Filebeat   FreeBSD   Galera   Git   GlusterFS   Grafana   Graphics   HAProxy   HTML   Hacks   Hardware   Icinga   Influx   Internet   Java   KVM   Kibana   Kodi   Kubernetes   LVM   LXC   Linux   Logstash   Mac   Macintosh   Mail   MariaDB   Minio   MongoDB   Monitoring   Multimedia   MySQL   NFS   Nagios   Network   Nginx   OSSEC   OTRS   Office   OpenSearch   PGSQL   PHP   Perl   Personal   PostgreSQL   Postgres   PowerDNS   Proxmox   Proxy   Python   Rancher   Rant   Redis   Roundcube   SSL   Samba   Seafile   Security   Shell   SmartOS   Solaris   Surveillance   Systemd   TLS   Tomcat   Ubuntu   Unix   VMWare   VMware   Varnish   Virtualization   Windows   Wireless   Wordpress   Wyse   ZFS   Zoneminder