Cleaning Up Unused Let’s Encrypt Certificates in a Docker Certbot Environment

Posted on by Rico

How to safely remove expired or unused domain certificates from Certbot volumes

When running Let’s Encrypt with Certbot inside Docker, it’s common to encounter a situation where:

Some domains are no longer used, but Certbot still lists their certificates.

This can cause unnecessary renewal attempts, clutter your certificate directory, and potentially confuse your web or mail server configuration.

This article documents the full process of cleaning up unused SSL certificates, including:

  • Viewing existing certificates
  • Removing individual certificate lineages
  • Handling “Another instance of Certbot is already running” lock errors
  • Best practices for maintaining a clean certificate environment

📌 Environment Overview

Certbot runs inside a Docker container and stores all data in persistent named volumes.
A typical renewal job looks like this:

docker run --rm \
  -v httpd-etc-letsencrypt:/etc/letsencrypt \
  -v httpd-varlib-letsencrypt:/var/lib/letsencrypt \
  -v httpd-varlog-letsencrypt:/var/log/letsencrypt \
  -v httpd-virtual-htdocs:/var/www/virtual \
  certbot/certbot:v4.1.1 renew

1. Listing All Existing Certificates

Start by listing all certificate lineages stored in Certbot’s volumes:

docker run --rm -it \
  -v httpd-etc-letsencrypt:/etc/letsencrypt \
  -v httpd-varlib-letsencrypt:/var/lib/letsencrypt \
  -v httpd-varlog-letsencrypt:/var/log/letsencrypt \
  certbot/certbot:v4.1.1 certificates

Example output (excerpt):

Certificate Name: pop3.nuface.tw
  Domains: pop3.nuface.tw
  Expiry Date: EXPIRED

Certificate Name: imap.nuface.tw
Certificate Name: mailadmin.nuface.tw
Certificate Name: smtp.nuface.tw
Certificate Name: tpm1.nuface.tw
Certificate Name: webmail.nuface.tw
...
Certificate Name: tpm1.demo.com.tw (VALID)
Certificate Name: wms.demo.com.tw  (VALID)

All expired nuface.tw certificates were no longer in use and safe to remove.

2. Fixing the Certbot Lock Error (If It Occurs)

If running certificates or any Certbot command gives:

Another instance of Certbot is already running.

it usually means a stale lock file exists in the volume.

Enter an Alpine container to inspect the volume:

docker run --rm -it \
  -v httpd-etc-letsencrypt:/etc/letsencrypt \
  -v httpd-varlib-letsencrypt:/var/lib/letsencrypt \
  alpine:3.20 /bin/sh

Remove old lock files:

rm -f /var/lib/letsencrypt/.certbot.lock
rm -f /etc/letsencrypt/.certbot.lock

Exit:

exit

Once the lock file is removed, Certbot commands will work normally again.

3. Removing Unused Certificate Lineages

Since Certbot treats each certificate as a separate lineage, deleting a domain simply means deleting its certificate lineage completely.

Example: removing pop3.nuface.tw:

docker run --rm -it \
  -v httpd-etc-letsencrypt:/etc/letsencrypt \
  -v httpd-varlib-letsencrypt:/var/lib/letsencrypt \
  -v httpd-varlog-letsencrypt:/var/log/letsencrypt \
  certbot/certbot:v4.1.1 delete \
    --cert-name pop3.nuface.tw

Certbot will prompt for confirmation.
Type Y to delete.

In this cleanup, the following unused/expired certificates were removed:

  • pop3.nuface.tw
  • imap.nuface.tw
  • smtp.nuface.tw
  • mailadmin.nuface.tw
  • tpm1.nuface.tw
  • webmail.nuface.tw

⚠️ Before deleting, ensure your web server, Postfix, or Dovecot is no longer referencing
/etc/letsencrypt/live/<domain>/fullchain.pem or privkey.pem.

4. Verify the Cleaned Certificate List

After the cleanup, run:

docker run --rm -it \
  -v httpd-etc-letsencrypt:/etc/letsencrypt \
  -v httpd-varlib-letsencrypt:/var/lib/letsencrypt \
  -v httpd-varlog-letsencrypt:/var/log/letsencrypt \
  certbot/certbot:v4.1.1 certificates

Only actively used and valid certificates remain, such as:

  • tpm1.demo.com.tw
  • wms.demo.com.tw
  • wmsadmin.demo.com.tw
  • wmsdb.demo.com.tw

Your future certbot renew runs will now be faster and error-free.

5. Best Practices for Long-Term Certificate Maintenance

✔ Use one certificate per domain

Avoid bundling domains into a single SAN certificate.
Smaller, separate certificates make cleanup and maintenance much easier.

✔ Keep server configuration in sync

Before deleting a certificate, ensure:

  • Apache or Nginx is not referencing the certificate files
  • Postfix SNI configuration does not include that domain
  • Dovecot local_name blocks are removed

Failing to do this may result in startup errors after deletion.

✔ Review certificates periodically

A quarterly review helps prevent clutter and keeps renewal jobs clean and fast.

✔ Conclusion

Managing Let’s Encrypt certificates inside Docker is convenient and flexible, but unused domains naturally accumulate over time. Cleaning up old or expired certificates is essential to keeping your environment organized.

This article walked through:

  • Listing existing certificate lineages
  • Removing unused domain certificates
  • Cleaning stale Certbot lock files
  • Following best practices for long-term maintenance

After cleanup, Certbot renewals become simpler, faster, and more reliable.