Don't delete a certificate for a domain via Certbot!

I used Certbot to delete a SSL certificate on a domain I no longer use but still had an Apache2 virtual host for.


I hosed the entire server after a restart of Apache. By deleting the certificate it deleted a file that Apache checks on startup or restart etc. I had to comment out two lines in the Apache 'sites-available' directory for that domain.

Without Apache working Certbot also would not work.

There is probably a better way to fix this, but I could not find it after almost an hour of searching.

Talk about a massive point of failure!

That one file killed Apache2 which of course killed every one of my domains.

3 Replies


What you shouldn't do is install certs with

sudo certbot --apache -d

You should shut down your web server and then install the cert with

sudo certbot certonly --standalone -d

Do the apache2 glue yourself. This is as simple as adding the following:

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/
SSLCertificateChainFile /etc/letsencrypt/live/

in your VirtualHost configuration. The chain file configuration is important…without this a standard browser will still complain that the CA is untrusted.

Then start up your web server again.

If you want the urls and to be equivalent, you would acquire the cert like this:

sudo certbot certonly --standalone -d,

-- sw

P.S. You may have to install a null VirtualHost at your web root for this to work:

<VirtualHost _default_:80>

This is a small price to pay for not giving certbot the ability to nuke your web server configuration, IMHO.

Thanks, Steve.

On my next server your instructions above is how I will do things. I didn't know about the "certonly" option.

If you want the urls and to be equivalent, you would acquire the cert like this:

sudo certbot certonly --standalone -d,

I use the same cert for my mail server too -- for ssmtp, submission and imaps -- so I use

sudo certbot certonly --standalone -d,,

When you install the certbot packages with apt, there's a systemd timer job for renewal that gets set up too…so you don't have to worry about setting up a cron job to do this.

-- sw


Please enter an answer

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct