Remove a single Certbot (LetsEncrypt) certificate from a server

I've been using Certbot to generate and renew Let's Encrypt certificates for most of my smaller sites and services, and recently I needed to move a site from one server to another. It was easy enough to build the new server, then generate the certificate on the new server and use it in Apache or Nginx's configuration.

However, on the old server I no longer wanted to have the old certificate get renewed every week/month/etc. during the certbot-auto cron runs, so I looked to see if there was a way to simply have Certbot delete a certificate. It turns out there's not, but there is an issue—adding -delete option to remove the cert files—to add this functionality.

In the mean time, after you've moved the site off your old server, and made sure Apache's not looking for the certificate for that site anymore, the process for manually removing the certificate is straightforward—just delete the relevant files inside /etc/certbot (or /etc/letsencrypt if you have an older server that used the letsencrypt tool before it was changed to certbot):

rm -rf /etc/certbot/archive/[sitename]/
rm -rf /etc/certbot/live/[sitename]/
rm -rf /etc/certbot/renewal/[sitename].conf

After removing those directories and files, future runs of certbot-auto will no longer attempt to renew those certificates. Note that technically you only need to remove the .conf file inside /etc/certbot/renewal, but I don't like leaving valid keys/certs hanging around on any of my servers.

For even better security, you can revoke the certificate before deleting the configuration, with something like certbot revoke -d [sitename].

Comments

Hopefully a delete option will be added to certbot. I wasn't sure if deleting certificates from the relevant directories was enough.

I used the following command: rm -rf /etc/letsencrypt/*/{example1.com,example2.com}.

Thanks for sharing, very useful information.

Thank you for sharing, Great help
may be put the revoke in the beginning. First I deleted the configuration files (PANIC!) and then read those lines (too late:))

Certbot now provides this functionality via "certbot delete" then an interactive prompt.

Thanks for the very useful information.
I followed the instructions on removing the certificate but didn't see the code for revoking the certificate before the removal. What can I do?

Let me share this with you, I have a web server where I install the let's-encrypt, when the server had problem and could not be reached through the browser meanwhile I was able to login through the shell, I then backed up and setup another server. When I was done setting up the server I tried to install lets-encrpty with the same domain name I used on the old server that's no longer reachable but it could not be installed. What can I do to resolve this? Thanks

I was happy to find it's in the latest certbot. In my case I'm using certbot-auto, but the same applies to the latest certbot. If you don't want the interactive deal, it's just:

certbot-auto delete --cert-name my-cert-name

I like to do a certbot-auto certificates first to make sure I have the name right.