How to delete a Certbot certificate lineage

Deleting a Certbot certificate lineage removes the local certificate files and renewal record that Certbot manages for one certificate name. Use it when a domain has moved, a duplicate test lineage was replaced, or an old certificate should stop renewing; deleting the wrong lineage can leave a service pointing at missing TLS files.

Certbot stores each lineage in the live, archive, and renewal areas under /etc/letsencrypt. The delete subcommand removes those related local files by certificate name, so the exact value from Certificate Name matters more than the domain list printed below it.

Deletion does not revoke the certificate at the certificate authority. If the certificate private key was exposed or the certificate should no longer be trusted, revoke it separately before or during the cleanup plan. Before deleting any lineage that a service still uses, remove or replace every old lineage reference in web server, mail server, load balancer, or application configuration.

1. List the managed certificates and copy the exact certificate name.

   $ sudo certbot certificates
   Saving debug log to /var/log/letsencrypt/letsencrypt.log
   
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   Found the following certs:
     Certificate Name: old.example.com
       Serial Number: 66313e2f465887824032ed095ca4d18ea8bdc058
       Key Type: RSA
       Domains: old.example.com
       Expiry Date: 2026-07-17 00:04:46+00:00 (VALID: 28 days)
       Certificate Path: /etc/letsencrypt/live/old.example.com/fullchain.pem
       Private Key Path: /etc/letsencrypt/live/old.example.com/privkey.pem
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

   Pass the value from Certificate Name to --cert-name. Do not use a full file path or one domain from a multi-domain certificate unless that is also the lineage name.

2. Search the service configuration that may still reference the lineage.

   $ sudo grep -R "/etc/letsencrypt/live/old.example.com" /etc/nginx
   /etc/nginx/sites-enabled/old.example.com.conf:    ssl_certificate /etc/letsencrypt/live/old.example.com/fullchain.pem;
   /etc/nginx/sites-enabled/old.example.com.conf:    ssl_certificate_key /etc/letsencrypt/live/old.example.com/privkey.pem;

   Search the configuration tree for the service that owns TLS on the host, such as Nginx, Apache, Postfix, HAProxy, or an application-specific directory. If no references exist, continue to the approval step.

3. Replace or remove the matching service references before deleting the lineage.

   ssl_certificate     /etc/letsencrypt/live/new.example.com/fullchain.pem;
   ssl_certificate_key /etc/letsencrypt/live/new.example.com/privkey.pem;

   Do not leave a service pointing at the old lineage path. After the lineage is deleted, those paths no longer exist and the next reload or restart can break TLS startup.

4. Test the changed service configuration.

   $ sudo nginx -t
   nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
   nginx: configuration file /etc/nginx/nginx.conf test is successful

   Use the equivalent validation command for the service you changed, such as sudo apachectl configtest for Apache.

5. Reload the service that no longer uses the old lineage.

   $ sudo systemctl reload nginx

   Skip this step only when no running service referenced the lineage.

6. Confirm that deletion is approved for the exact certificate name.

   certbot delete is irreversible for the local lineage and does not revoke the public certificate. Do not manually remove files under /etc/letsencrypt; use certbot delete after references and revocation requirements are handled.

7. Delete the lineage with Certbot.

   $ sudo certbot delete --cert-name old.example.com --non-interactive
   Saving debug log to /var/log/letsencrypt/letsencrypt.log
   Deleted all files relating to certificate old.example.com.

   For an interactive maintenance shell, omit --non-interactive if you want Certbot to ask for confirmation. For automation, keep --cert-name exact and require an external approval gate before the command runs.

8. Verify that Certbot no longer lists the deleted certificate name.

   $ sudo certbot certificates --cert-name old.example.com
   Saving debug log to /var/log/letsencrypt/letsencrypt.log
   
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
   No certificates found.
   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

   This proves the local Certbot lineage was removed. It does not prove revocation, DNS cleanup, or removal from another host that has its own Certbot configuration tree.

9. Confirm that the service configuration no longer references the deleted lineage path.

   $ sudo grep -R "/etc/letsencrypt/live/old.example.com" /etc/nginx

   No output means the searched Nginx configuration no longer references that lineage. Search the actual TLS service configuration tree for the host before closing the maintenance change.