How to stop renewing a letsencrypt/certbot certificate?

Question

There are lots of tutorials online of how to create and renew a certificate with letsencrypt, but I want to remove and stop renewing a certificate that I created (it was only created for testing purposes). How do I stop renewing one certificate originally obtained with the letsencrypt command (while still continuing to renew other certificates)?

I don't see a single instance of anyone asking this question anywhere else, nor a command in man letsencrypt that seems to do it.

Currently I am renewing certificates with the following cron job:

30 2 * * 1 /usr/bin/letsencrypt renew >> /var/log/le-renew.log
35 2 * * 1 /bin/systemctl reload nginx

Answer 1

The OP wants to delete the certificate in addition to stopping renewal, and that was covered by the other answers. However if you want to keep the certificate but discontinue future renewals (for example if you have switched to a different server, but are waiting for all the DNS changes to propagate), you can go into /etc/letsencrypt/renewal and rename example.com.conf to example.com.conf.disabled (or any other non-.conf name, or even delete it altogether:

/etc/letsencrypt/renewal/example.com.conf.disabled

You can verify it was disabled by running the following command, as noted in the other answer.

sudo certbot renew --dry-run

Lastly some have suggested elsewhere that one can simple put autorenew = False at the top of the /etc/letsencrypt/renewal/example.com.conf file, but that doesn't seem to work. (I would have replied to that post to give my feedback, but their forum cuts off comments after 30 days.)

After review I realize that much of this information is included in the other answer, but I wanted to clarify the steps needed for the separate use case of disabling renewal without deleting or disabling the certificate itself.

Answer 2

It doesn't seem like there is a command to formally "cancel" renewals at this time. However, I found a suggestion from this thread that seems to work.

I tried running the following command,

sudo find /etc/letsencrypt/ -name '*outdated.example.com*'

and only found one file in each the live/, archive/ and renewal/ directory.

I also tried running,

sudo grep -r /etc/letsencrypt/ -e 'outdated.example.com'

and only found references to the outdated domain in one file in the renewal/ directory (which was renewal/outdated.example.com.conf).

I ran letsencrypt renew and it listed outdated.example.com in the output.

I then created a directory _renewal_disabled and moved renewal/outdated.example.com.conf to that directory.

I ran letsencrypt renew again, and it no longer listed outdated.example.com in the output.

From this I can assume that I've "disabled" renewal of the certificate.

Answer 3

updated

Please see answer https://stackoverflow.com/a/47372583/1426788

A newer version of certbot supports deleting certs via the CLI

old answer

To remove a domain from your certbot renewals, you can remove or move (safer) the bad domain cert files and run certbot renew --dry-run to ensure that you have removed the outdated / invalid configuration.

rm -rf /etc/letsencrypt/live/${BAD_DOMAIN}/
rm -f /etc/letsencrypt/renewal/${BAD_DOMAIN}.conf
certbot renew --dry-run

If that works, you can continue your renewals without --dry-run for future updates.

certbot renew

If you're running with something like nginx or some other server, don't forget to edit your configs so they are no longer pointing to invalid or removed certs.

Finally, restart or reload your server configs and you're done!

Answer 4

The following provides an interactive menu:

certbot delete

You can also delete a certificate non-interactively using certbot delete --cert-name example.com, but this appears to go through the normal authorisation process, and will fail if it can't authorise your domain. The interactive command above deletes everything without trying to authorise.