Certbot Commands

List All Certificats

  • certbot certificates

Delete a Certbot SSL Certificate

  • certbot delete –apache -d

This command will offer an index from which you can select the domain name

  • sudo certbot delete
  • To delete a Certbot certificate by including the domain name in the command like this:
  • certbot delete –cert-name example.com

Issue or Renew an SSL certificate

The –force-renewal, –duplicate, and –expand options control Certbot’s behavior when re-creating a certificate with the same name as an existing certificate. If you don’t specify a requested behavior, Certbot may ask you what you intended.

–force-renewal tells Certbot to request a new certificate with the same domains as an existing certificate. Each domain must be explicitly specified via -d. If successful, this certificate is saved alongside the earlier one and symbolic links (the “live” reference) will be updated to point to the new certificate. This is a valid method of renewing a specific individual certificate.

–duplicate tells Certbot to create a separate, unrelated certificate with the same domains as an existing certificate. This certificate is saved completely separately from the prior one. Most users will not need to issue this command in normal circumstances.

–expand tells Certbot to update an existing certificate with a new certificate that contains all of the old domains and one or more additional new domains. With the –expand option, use the -d option to specify all existing domains and one or more new domains.

  • certbot –expand -d existing.com,example.com,newdomain.com
  • certbot –apache -d example.com

Revoking certificates

If your account key has been compromised or you otherwise need to revoke a certificate, use the revoke command to do so. Note that the revoke command takes the certificate path (ending in cert.pem), not a certificate name or domain.

  • certbot revoke –cert-path /etc/letsencrypt/live/CERTNAME/cert.pem

You can also specify the reason for revoking your certificate by using the reason flag. Reasons include unspecified which is the default, as well as keycompromise, affiliationchanged, superseded, and cessationofoperation:

  • ertbot revoke –cert-path /etc/letsencrypt/live/CERTNAME/cert.pem –reason keycompromise

Additionally, if a certificate is a test certificate obtained via the –staging or –test-cert flag, that flag must be passed to the revoke subcommand. Once a certificate is revoked (or for other certificate management tasks), all of a certificate’s relevant files can be removed from the system with the delete subcommand.


If you don’t use delete to remove the certificate completely, it will be renewed automatically at the next renewal event.

Leave a Reply

Your email address will not be published. Required fields are marked *

WordPress Appliance - Powered by TurnKey Linux