Removing Subdomains From A Let’s Encrypt Certificate
It’s straightforward to add subdomains to an existing Let’s Encrypt certificate: run Certbot with the
--expand flag. However removing subdomains, or subject alternative names (SANs), won’t be supported by Certbot until the 0.10.0 release.
You can’t just generate a new certificate with only the subdomains you want because Certbot gets the subdomains from the existing certificate. You will also end up with a “forked” certificate which will mean updating the certificate paths in your web server configuration.
Instead you first need to remove the old certificate information and only then generate the certificate you want:
# Make a backup just in case. sudo cp -r /etc/letsencrypt /etc/_letsencrypt # Remove the old certificate information. sudo rm -r /etc/letsencrypt/archive/domain.tld sudo rm -r /etc/letsencrypt/live/domain.tld sudo rm /etc/letsencrypt/renewal/domain.tld.conf # Generate a new certificate with the subdomains you want. sudo /opt/letsencrypt/certbot-auto certonly --webroot -w /path/to/my/app -d 'domain.tld,www.domain.tld' # Reload Nginx. sudo service nginx reload
This worked for me on two different production systems using Certbot 0.9.3.