Selective SSL Certificate Renewal for Single Domains Using Certbot

Keywords: Certbot | SSL Certificate Renewal | Single Domain Management

Abstract: This technical article explores methods for renewing SSL certificates for specific domains using Certbot, rather than performing bulk renewals. By comparing certbot renew and certonly commands, it focuses on the --apache/--nginx parameters combined with the -d option for precise domain renewal, providing comprehensive examples and best practices for efficient multi-domain certificate management.

Overview of Certbot Certificate Renewal Mechanisms

When managing SSL certificates for multiple domains, Certbot offers two primary approaches: certbot renew for batch renewal of all expiring certificates, and certbot certonly for creating or replacing specific certificates. For precise control over individual domain renewals, the latter provides a more flexible solution.

Core Command for Single Domain Certificate Renewal

For Apache server environments, the following command enables certificate renewal specifically for domain1.com:

certbot --apache certonly -n -d domain1.com

The parameters in this command are defined as follows:

--apache: Specifies the Apache server environment; use --nginx for Nginx servers
certonly: Certificate operation mode for creating or replacing specified certificates
-n: Non-interactive mode, executes command without prompts
-d domain1.com: Specifies the target domain, ensuring the operation applies only to this domain

Command Execution Process and Validation

Before performing the actual renewal, it's recommended to test using the --dry-run parameter:

certbot --apache certonly -n -d domain1.com --dry-run

After successful testing, remove the --dry-run parameter to execute the actual renewal. Similar to the certbot renew command, this operation also supports --pre-hook and --post-hook parameters for executing custom scripts before and after certificate renewal.

Comparison with Alternative Renewal Methods

While certbot renew --cert-name can also be used for single certificate renewal, it's important to distinguish between certificate names and domain names. The certbot certificates command displays detailed information about all certificates, where certificate names may include multiple associated domains. In contrast, using certonly mode with the -d parameter allows more intuitive precise control based on domain names.

Certificate Deployment and Server Restart

After certificate renewal completes, the system displays information similar to:

-------------------------------------------------------------------------------
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/domain1.com/fullchain.pem
-------------------------------------------------------------------------------

At this point, the web server must be restarted to activate the new certificate. For Apache servers, use systemctl restart apache2 (or equivalent service management command); for Nginx servers, use systemctl restart nginx.

Best Practice Recommendations

In multi-domain certificate management environments, establishing clear certificate naming conventions and regularly monitoring certificate status is recommended. By combining automation scripts and monitoring tools, more reliable certificate management workflows can be built, ensuring timely certificate renewals without affecting service availability.

Copyright Notice: All rights in this article are reserved by the operators of DevGex. Reasonable sharing and citation are welcome; any reproduction, excerpting, or re-publication without prior permission is prohibited.