47

There are lots of tutorials online of how to create and renew a certificate with letsencrypt, but I want to remove and stop renewing a certificate that I created (it was only created for testing purposes). How do I stop renewing one certificate originally obtained with the letsencrypt command (while still continuing to renew other certificates)?

I don't see a single instance of anyone asking this question anywhere else, nor a command in man letsencrypt that seems to do it.

Currently I am renewing certificates with the following cron job:

30 2 * * 1 /usr/bin/letsencrypt renew >> /var/log/le-renew.log
35 2 * * 1 /bin/systemctl reload nginx
Jackson
  • 9,188
  • 6
  • 52
  • 77
  • You might need to give more details-- usually that's not automagical. I've a cronjob that handles this monthly. I just comment that out if I want to disable it (`crontab -e`). – David Betz Oct 13 '16 at 20:44
  • @DavidBetz Updated with more details. It's not as simple as disabling the cron job, because I have other certificates on this server that I still want to renew. – Jackson Oct 13 '16 at 21:08

6 Answers6

80

With certbot, you can simply use:

certbot delete --cert-name mywebsite.com

This removes the certificate and all relevant files from your letsencrypt config directory.

minimalis
  • 1,763
  • 13
  • 19
  • Yes, the selected answer -- while it was right I'm sure, is outdated. This answer is the correct answer and it'd be great if that could be updated. – Frank V Feb 26 '18 at 16:53
  • 8
    If you use `certbot delete` you'll get an interactive menu – Sjors Ottjes Dec 29 '20 at 07:19
  • Didn't work for me. I got a confirmation prompt, and then a message "No certificate was found with name". Yet, subsequent attempt to renew everything failed again citing this particular domain as the culprit (it is no longer in DNS). – Mikhail T. Apr 18 '21 at 17:14
29

The OP wants to delete the certificate in addition to stopping renewal, and that was covered by the other answers. However if you want to keep the certificate but discontinue future renewals (for example if you have switched to a different server, but are waiting for all the DNS changes to propagate), you can go into /etc/letsencrypt/renewal and rename example.com.conf to example.com.conf.disabled (or any other non-.conf name, or even delete it altogether:

/etc/letsencrypt/renewal/example.com.conf.disabled

You can verify it was disabled by running the following command, as noted in the other answer.

sudo certbot renew --dry-run

Lastly some have suggested elsewhere that one can simple put autorenew = False at the top of the /etc/letsencrypt/renewal/example.com.conf file, but that doesn't seem to work. (I would have replied to that post to give my feedback, but their forum cuts off comments after 30 days.)

After review I realize that much of this information is included in the other answer, but I wanted to clarify the steps needed for the separate use case of disabling renewal without deleting or disabling the certificate itself.

Abdull
  • 26,371
  • 26
  • 130
  • 172
Garret Wilson
  • 18,219
  • 30
  • 144
  • 272
  • 1
    The option autorenew = False works perfectly for me. I put the option under the [renewalparams] section of the configuration file /etc/letsencrypt/renewal/mycert.conf and the renew was simply skipped. – dAm2K Mar 31 '23 at 23:12
10

It doesn't seem like there is a command to formally "cancel" renewals at this time. However, I found a suggestion from this thread that seems to work.

I tried running the following command,

sudo find /etc/letsencrypt/ -name '*outdated.example.com*'

and only found one file in each the live/, archive/ and renewal/ directory.

I also tried running,

sudo grep -r /etc/letsencrypt/ -e 'outdated.example.com'

and only found references to the outdated domain in one file in the renewal/ directory (which was renewal/outdated.example.com.conf).

I ran letsencrypt renew and it listed outdated.example.com in the output.

I then created a directory _renewal_disabled and moved renewal/outdated.example.com.conf to that directory.

I ran letsencrypt renew again, and it no longer listed outdated.example.com in the output.

From this I can assume that I've "disabled" renewal of the certificate.

Jackson
  • 9,188
  • 6
  • 52
  • 77
6

updated

Please see answer https://stackoverflow.com/a/47372583/1426788

A newer version of certbot supports deleting certs via the CLI

old answer

To remove a domain from your certbot renewals, you can remove or move (safer) the bad domain cert files and run certbot renew --dry-run to ensure that you have removed the outdated / invalid configuration.

rm -rf /etc/letsencrypt/live/${BAD_DOMAIN}/
rm -f /etc/letsencrypt/renewal/${BAD_DOMAIN}.conf
certbot renew --dry-run

If that works, you can continue your renewals without --dry-run for future updates.

certbot renew

If you're running with something like nginx or some other server, don't forget to edit your configs so they are no longer pointing to invalid or removed certs.

Finally, restart or reload your server configs and you're done!

random-forest-cat
  • 33,652
  • 11
  • 120
  • 99
3

The following provides an interactive menu:

certbot delete

You can also delete a certificate non-interactively using certbot delete --cert-name example.com, but this appears to go through the normal authorisation process, and will fail if it can't authorise your domain. The interactive command above deletes everything without trying to authorise.

Dan
  • 778
  • 11
  • 18
  • I know it's a newer feature, but this should be the accepted answer. Had so much trouble trying to do it with `--cert-name` , this work ez pz – jhmckimm Jul 02 '23 at 07:12
0

Here's what I do/did:

  1. I ran
certbot renew

and noted which domains were not renewing or had problems

  1. I created a
/etc/certbot/disabled

directory to hold disabled (but not deleted) domains

  1. On a case-by-case basis, I moved all undesired *.conf files from /etc/certbot/renewal into /etc/certbot/disabled
#cd /etc/certbot/renewal
#mv <disabled_domain> ../disabled
  1. I then resolved all special cases:

4A) Default "catchall" server website

#certbot --apache -d <server.catchall.url>

4B) Mail Server

i) Stop httpd

#service httpd stop

ii) Issue certbot command to generate the certificate

#certbot certonly --standalone -d <mail.server.domain>

iii) Start httpd

#service httpd start

iv) Check httpd

#service httpd status
  1. I added a command to my cron job to check for certificate expiry every week, on Sunday
# GL  2019-12-09  Renew Let's Encrypt SSL Certificate
#                 Execute every Sunday at noon
00 12 * * Sun     /bin/python -c 'import random; import time; time.sleep(random.random() * 3600)' && /bin/certbot renew >> /var/log/certbot.log 2>&1

This resolved my issues.

Graham Leach
  • 15
  • 4