Certbot clean up old .pem files

My domain is: tarcanfel.org
Running certbot 1.12.0-2 on Debian 10

I have .pem files in /etc/letsencrypt/keys/ that date back to 2018. What is the correct way to clean these files up and maintain them without causing certbot to fail?

1 Like

I believe newer versions of certbot are already set to handle this.
But if you can't/won't upgrade certbot you could run some kind of job that deletes files that are older than 90, or 180 to be safer, days in those folders.


Any idea what version addresses the clean-up of old .pem (and other unused files)?
1.12 seems to be the latest distributed with Debian stable.
Should I request a backport?

I think here are the threads discussing it:


I don't what would be done for it at this point:


Certbot 1.12.0-2 is distributed with Debian 11 (bullseye), not Debian 10 (buster). 11 is the current stable, 10 is oldstable.

However, Debian 12 (bookworm) is going to become stable on 2023-06-10 (estimated), so in about 4 days. Debian 12 will ship certbot 2.1.0. I don't know which backports it has, but it might also predate the cleanup (which is in 2.3.0 on upstream).

You can always try and talk to the Debian maintainers of that package, sure. However, with the release rollover period it might take quite a while before anything that is not mission-criticial can be done. It would also likely target bookworm, since it's going to be the current stable as of next week.


You're right, I'm on 11 not 10, and backports are pretty much frozen for the rollover. I hadn't realized it's that close.

We'll see what happens then.


Do you know about the snap version of Certbot? I'd guess the Debian 11 process is same as Debian 10. See


There is always pip in venv if you prefer to not install snapd on your servers.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.