Let's encrypt: Remove only one hostname from certificate

I have the following certificate:

# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Found the following certs:
 Certificate Name: domain.example
  Domains: domain.example imap.domain.example mail.domain.example pop.domain.example smtp.domain.example www.domain.example
  Expiry Date: 2019-09-09 03:34:20+00:00 (VALID: 62 days)
  Certificate Path: /etc/letsencrypt/live/domain.example/fullchain.pem
  Private Key Path: /etc/letsencrypt/live/domain.example/privkey.pem

Now what I want to do is to remove domain.example and www.domain.example from the certificate, because the web server has moved to another instance. The fact, that the DNS entries have been changed means, that the renewal process will fail if domain.example and www.domain.example are still part of the certificate, because the DNS entries point to another IP now.

How can I remove certain host names from a let's encrypt certificate without deleting the certificate and creating a new one?


You should use --cert-name together with the list of hostnames you want to keep. So:

certbot certonly --cert-name example.com -d imap.domain.example,mail.domain.example,pop.domain.example,smtp.domain.example

See https://certbot.eff.org/docs/using.html#changing-a-certificate-s-domains


I don't usually bother reissuing certificates in this case. I just edit the configuration file in /etc/letsencrypt/renewal/example.com.conf and remove the domain from there. At the next renewal, the new certificate will no longer contain the removed domain.

But in your case, as the name you want to remove was the original one for the certificate, I would suggest you not renew this cert at all, but remove the renewal configuration file for the old cert then issue a new cert with only the names you want to keep.


How can I remove certain host names from a let's encrypt certificate without deleting the certificate and creating a new one?

You can not.

A certificate is basically a public key, some metadata (such as dates and list of hostnames) and a signature over all the above (the signature being computed by the CA delivering this certificate).

Which means basically that once issued, you can change nothing in it, otherwise the signature will not match anymore and it will be rejected as invalid.

You need to generate a new certificate from scratch. You do not need to delete the current one, you can continue to use it or not, no harm done if some names in it do not exist anymore or do not resolve. But you can generate new ones with the proper set of names you need.

This also shows the peril of doing certificates for multiple names: it may provide an incentive as it lowers the number of certificates to handle, but, it associates the fate of all names one to the other. When everything is automated, as it should be when dealing with Let's Encrypt, it should not be a problem to have one certificate per name. Of course the situation is different if you have to manage millions of names.