When managing Let's Encrypt certificates with Certbot, you might encounter situations where you need to update the domain list in an existing certificate. A common scenario is when migrating web services to different servers while keeping email services on the original host.

For example, examining your current certificate shows:

# certbot certificates
Found the following certs:
  Certificate Name: domain.example
   Domains: domain.example imap.domain.example mail.domain.example 
            pop.domain.example smtp.domain.example www.domain.example
   Expiry Date: 2023-11-15 (VALID)
   Certificate Path: /etc/letsencrypt/live/domain.example/fullchain.pem
   Private Key Path: /etc/letsencrypt/live/domain.example/privkey.pem

Certbot doesn't support direct domain removal from existing certificates. Instead, you need to create a new certificate with the updated domain list. Here's the step-by-step process:

# First, backup current certificate
sudo cp -r /etc/letsencrypt/live/domain.example /etc/letsencrypt/live/domain.example.bak

# Then create new certificate with remaining domains
sudo certbot certonly --cert-name domain.example \
  -d imap.domain.example \
  -d mail.domain.example \
  -d pop.domain.example \
  -d smtp.domain.example

For easier management, you can script this operation:

#!/bin/bash
DOMAIN="domain.example"
REMAINING_DOMAINS="imap.domain.example mail.domain.example pop.domain.example smtp.domain.example"

# Backup existing certificate
sudo cp -r /etc/letsencrypt/live/$DOMAIN /etc/letsencrypt/live/${DOMAIN}.bak

# Issue new certificate
sudo certbot certonly --cert-name $DOMAIN -d $REMAINING_DOMAINS

# Verify new certificate
sudo certbot certificates | grep -A10 $DOMAIN

After modifying the certificate, update your web server configuration. For Nginx:

server {
    listen 443 ssl;
    server_name imap.domain.example mail.domain.example;
    
    ssl_certificate /etc/letsencrypt/live/domain.example/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.example/privkey.pem;
    # ... other SSL settings
}

The renewal configuration will automatically update to reflect the new domain set. Verify this in:

/etc/letsencrypt/renewal/domain.example.conf

Ensure the domains parameter only lists the remaining domains.

After making changes, verify the certificate contains only the intended domains:

openssl x509 -in /etc/letsencrypt/live/domain.example/cert.pem -text -noout | grep DNS

When managing Let's Encrypt certificates, you might encounter situations where some domains in your certificate need to be removed while keeping others intact. Here's a common scenario:

# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Found the following certs:
 Certificate Name: domain.example
  Domains: domain.example imap.domain.example mail.domain.example pop.domain.example smtp.domain.example www.domain.example
  Expiry Date: 2019-09-09 03:34:20+00:00 (VALID: 62 days)
  Certificate Path: /etc/letsencrypt/live/domain.example/fullchain.pem
  Private Key Path: /etc/letsencrypt/live/domain.example/privkey.pem

Let's Encrypt certificates are immutable once issued. You cannot directly edit or remove domains from an existing certificate. The only way to change the domain list is to create a new certificate with the modified domain set.

Here's how to properly handle this situation:

# First, identify the current certificate
sudo certbot certificates

# Then, create a new certificate with only the domains you want to keep
sudo certbot certonly --cert-name domain.example \
  -d imap.domain.example \
  -d mail.domain.example \
  -d pop.domain.example \
  -d smtp.domain.example

For frequent updates, you might want to script this process. Here's a bash script example:

#!/bin/bash

CERT_NAME="domain.example"
KEEP_DOMAINS=("imap.domain.example" "mail.domain.example" "pop.domain.example" "smtp.domain.example")

# Generate the certbot command
CMD="sudo certbot certonly --cert-name $CERT_NAME"
for domain in "${KEEP_DOMAINS[@]}"; do
  CMD+=" -d $domain"
done

# Execute the command
eval $CMD

# Verify the new certificate
sudo certbot certificates

After updating the certificate, remember to update your web server configuration. For Nginx:

server {
    listen 443 ssl;
    server_name imap.domain.example mail.domain.example;
    
    ssl_certificate /etc/letsencrypt/live/domain.example/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.example/privkey.pem;
    # ... other SSL settings ...
}

• Always test the new certificate with sudo certbot renew --dry-run before relying on it
• Update any automation scripts that might reference the old certificate
• Consider setting up proper monitoring for certificate expiration