Removing Subdomains From A Let’s Encrypt Certificate

It’s straightforward to add subdomains to an existing Let’s Encrypt certificate: run Certbot with the --expand flag. However removing subdomains, or subject alternative names (SANs), won’t be supported by Certbot until the 0.10.0 release.

You can’t just generate a new certificate with only the subdomains you want because Certbot gets the subdomains from the existing certificate. You will also end up with a “forked” certificate which will mean updating the certificate paths in your web server configuration.

Instead you first need to remove the old certificate information and only then generate the certificate you want:

# Make a backup just in case.
sudo cp -r /etc/letsencrypt /etc/_letsencrypt

# Remove the old certificate information.
sudo rm -r /etc/letsencrypt/archive/domain.tld
sudo rm -r /etc/letsencrypt/live/domain.tld
sudo rm /etc/letsencrypt/renewal/domain.tld.conf

# Generate a new certificate with the subdomains you want.
sudo /opt/letsencrypt/certbot-auto certonly --webroot -w /path/to/my/app -d 'domain.tld,www.domain.tld'

# Reload Nginx.
sudo service nginx reload

This worked for me on two different production systems using Certbot 0.9.3.

Andrew Stewart • 19 October 2016 • SSL
You can reach me by email or on Twitter.