How to stop renewing a letsencrypt/certbot certificate?
With certbot
, you can simply use:
certbot delete --cert-name mywebsite.com
This removes the certificate and all relevant files from your letsencrypt config directory.
The OP wants to delete the certificate in addition to stopping renewal, and that was covered by the other answers. However if you want to keep the certificate but discontinue future renewals (for example if you have switched to a different server, but are waiting for all the DNS changes to propagate), you can go into /etc/letsencrypt/renewal
and rename example.com.conf
to example.com.conf.disabled
(or any other non-.conf
name, or even delete it altogether:
/etc/letsencrypt/renewal/example.com.conf.disabled
You can verify it was disabled by running the following command, as noted in the other answer.
sudo certbot renew --dry-run
Lastly some have suggested elsewhere that one can simple put autorenew = False
at the top of the /etc/letsencrypt/renewal/example.com.conf
file, but that doesn't seem to work. (I would have replied to that post to give my feedback, but their forum cuts off comments after 30 days.)
After review I realize that much of this information is included in the other answer, but I wanted to clarify the steps needed for the separate use case of disabling renewal without deleting or disabling the certificate itself.
It doesn't seem like there is a command to formally "cancel" renewals at this time. However, I found a suggestion from this thread that seems to work.
I tried running the following command,
sudo find /etc/letsencrypt/ -name '*outdated.example.com*'
and only found one file in each the live/
, archive/
and renewal/
directory.
I also tried running,
sudo grep -r /etc/letsencrypt/ -e 'outdated.example.com'
and only found references to the outdated domain in one file in the renewal/
directory (which was renewal/outdated.example.com.conf
).
I ran letsencrypt renew
and it listed outdated.example.com
in the output.
I then created a directory _renewal_disabled
and moved renewal/outdated.example.com.conf
to that directory.
I ran letsencrypt renew
again, and it no longer listed outdated.example.com
in the output.
From this I can assume that I've "disabled" renewal of the certificate.