How to Completely Remove Certbot SSL Certificates on Ubuntu/Nginx: A Clean Uninstall Guide


2 views

When you run certbot --nginx, Certbot creates several artifacts:

/etc/letsencrypt/live/yourdomain.com/
/etc/letsencrypt/archive/yourdomain.com/
/etc/letsencrypt/renewal/yourdomain.com.conf
/etc/nginx/sites-available/yourdomain.conf (modified version)

Here's the proper sequence to completely wipe a certificate:

# First, revoke the certificate (optional but recommended)
sudo certbot revoke --cert-path /etc/letsencrypt/live/${DOMAIN}/cert.pem

# Then delete all certificate files
sudo rm -rf /etc/letsencrypt/live/${DOMAIN}/
sudo rm -rf /etc/letsencrypt/archive/${DOMAIN}/
sudo rm /etc/letsencrypt/renewal/${DOMAIN}.conf

# Remove Nginx configurations
sudo rm /etc/nginx/sites-available/${DOMAIN}.conf
sudo rm /etc/nginx/sites-enabled/${DOMAIN}.conf

For a more automated approach:

sudo certbot delete --cert-name ${DOMAIN}

This handles most of the cleanup, but you'll still need to manually remove Nginx config files.

Check for any remnants:

sudo certbot certificates | grep ${DOMAIN}
ls -la /etc/letsencrypt/live/ | grep ${DOMAIN}
ls -la /etc/nginx/sites-enabled/ | grep ${DOMAIN}

For automation purposes:

#!/bin/bash
DOMAIN="example.com"

echo "[1/4] Revoking certificate..."
sudo certbot revoke --cert-path /etc/letsencrypt/live/${DOMAIN}/cert.pem --delete-after-revoke

echo "[2/4] Removing Let's Encrypt files..."
sudo rm -rf /etc/letsencrypt/live/${DOMAIN}/
sudo rm -rf /etc/letsencrypt/archive/${DOMAIN}/
sudo rm /etc/letsencrypt/renewal/${DOMAIN}.conf

echo "[3/4] Cleaning Nginx configs..."
sudo rm /etc/nginx/sites-available/${DOMAIN}.conf
sudo rm /etc/nginx/sites-enabled/${DOMAIN}.conf

echo "[4/4] Reloading Nginx..."
sudo nginx -t && sudo systemctl reload nginx

When you generate SSL certificates using Certbot (with Nginx plugin), it creates files in multiple locations:

/etc/letsencrypt/live/yourdomain.com/
/etc/letsencrypt/archive/yourdomain.com/
/etc/letsencrypt/renewal/yourdomain.com.conf

Additionally, Certbot modifies your Nginx configuration files to include SSL directives.

Here's the step-by-step procedure to fully remove a certificate:

# 1. First delete the certificate files
sudo rm -rf /etc/letsencrypt/live/yourdomain.com
sudo rm -rf /etc/letsencrypt/archive/yourdomain.com
sudo rm /etc/letsencrypt/renewal/yourdomain.com.conf

# 2. Remove Nginx configuration (both available and enabled)
sudo rm /etc/nginx/sites-available/yourdomain.conf
sudo rm /etc/nginx/sites-enabled/yourdomain.conf

# 3. Optional: Clean up auto-renewal cron jobs
sudo crontab -e
# Then remove any entries related to yourdomain.com

While manual deletion works, Certbot provides cleaner methods:

# To list all certificates:
sudo certbot certificates

# To delete a specific certificate:
sudo certbot delete --cert-name yourdomain.com

The certbot delete command handles most cleanup automatically, but you may still need to manually remove Nginx config files.

Certbot modifies your Nginx configs. After certificate removal, check these sections:

server {
    listen 443 ssl;
    ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
    # ... other SSL directives ...
}

# And the HTTP to HTTPS redirect:
server {
    listen 80;
    server_name yourdomain.com www.yourdomain.com;
    return 301 https://$host$request_uri;
}

Remove or comment out these SSL-related blocks after certificate deletion.

Run these checks to ensure no remnants remain:

# Check certificate files
ls -la /etc/letsencrypt/live/ | grep yourdomain
ls -la /etc/letsencrypt/archive/ | grep yourdomain

# Check Nginx configs
grep -r "yourdomain.com" /etc/nginx/

# Test Nginx configuration
sudo nginx -t

For frequent use, create a cleanup script:

#!/bin/bash
DOMAIN="yourdomain.com"

# Certbot cleanup
sudo certbot delete --cert-name $DOMAIN --non-interactive

# Manual cleanup
sudo rm -rf /etc/letsencrypt/{live,archive,renewal}/$DOMAIN*

# Nginx cleanup
sudo rm /etc/nginx/sites-available/$DOMAIN.conf
sudo rm /etc/nginx/sites-enabled/$DOMAIN.conf

# Reload Nginx
sudo systemctl reload nginx
  • Backup configurations before deletion
  • Consider DNS records if doing complete domain removal
  • Check for certificate dependencies in other services
  • Monitor for failed renewal attempts in system logs