Managing site certificates with NGINX and Certbot
And removing a single domain certificate without breaking everything else
Do you operate multiple domains from the same webserver? Do you have a webserver operated by NGINX? Do you have Certbot managing your certificates? This is a set of instructions for creating your certificates correctly and removing a single domain from your configuration, after I found some confusing ones that resulted in me knocking out my server for a little while…
A note before we begin
If you’re rather in a hurry to remove a domain from a messy configuration, STOP. Re-organizing your sites and regenerating your certificates is not only pretty quick and mostly painless — and required, if you want to remove a single domain without making NGINX break down and throw a wobbly — it’s very much the same process.
Organizing your existing NGINX sites
Ensure that you know which domains are configured in which site files, in particular make sure that you do not include servers for multiple domains in the same file.
To do this, look through your enabled site files under /etc/nginx/sites-enabled to find relevant server entries. While you’re there, you might want to note any certificates which are already used by those server entries; those will be the lines starting with ssl_certificate.
If you need to reorganize your site files, remember that their actual location must be in the /etc/nginx/sites-available path. To enable a site /etc/nginx/sites-available/example, create a symlink in the /etc/nginx/sites-enabled path with
ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/and to disable a site, remove it from the /etc/nginx/sites-enabled path with
Generating certificates with Certbot
Once your sites are organized in a way that each domain has its own file, generate certificates for each domain and its subdomains with
sudo certbot --nginx -d example.com -d www.example.com
This will generate a new certificate if needed and update the site file accordingly.