####_csr-certbot.pem files auto cleanup

Hi, I have certbot 1.21.0 installed on my Linux Mint server:

It's creating two pem files in /etc/letsencrypt/csr every day.
The files are not cleaned up and there are now 524 of them going back to Nov 22

I assume these are created by systemctl certbot.timer -
shouldn't it be cleaning up these files - esp as they are in /etc ?

Can I manually clean them up?
Is there a setting to clean up unneeded ones ?

apt list --installed | grep certbot

certbot/jammy,jammy,now 1.21.0-1build1 all [installed]
python3-certbot-nginx/jammy,jammy,now 1.21.0-1 all [installed]
python3-certbot/jammy,jammy,now 1.21.0-1build1 all [installed,automatic]

It should not creat CSRs every day. That would mean your Certbot is either trying to renew a certificate forcefully daily or you're getting new certs every day.

Please make sure you don't have --force-renewal or it's synonym --renew-by-default anywhere set (also check /etc/letsencrypt/cli.ini please).

What's your hostname or hostnames you're using Certbot with?

Also, Certbot 1.x is very old. Please use the instruction set generator at Certbot Instructions | Certbot (any Ubuntu will do) to use snap to install Certbot, so it's always up to date. Recent Certbots will not keep CSRs and private keys any longer, but your issue with daily new CSRs needs to be addressed first!

Thanks, My cli.ini has

# Because we are using logrotate for greater flexibility, disable the
# internal certbot logrotation.
max-log-backups = 0
# Adjust interactive output regarding automated renewal
preconfigured-renewal = True

Linux Mint Distro doesn't like snap - It can be installed but they prefer flatpak. I generally avoid using either when I can. I prefer ppa , source or docker.

Looking around I may look at another way to install a newer certbot or use the acme.sh bash script

Domain certs are up to date. and renewed 7th Aug (nginx)

They're not updated daily? If so, there also shouldn't be a new CSR daily.

I don't like snap either, but Gentoo at least has a rolling release method and thus is relatively up to date (2.10.0 instead of the current 2.11.0). In version 2.3.0 the usage of the /csr/ and /keys/ directories was removed.

Note that acme.sh defaults to ZeroSSL instead of Let's Encrypt. And personally I find it quite poorly documented.

Thanks - I've got acme.sh working and switched default to letsencrypt.

Please check Certbot isn't making daily CSRs any longer once you've switched clients.

Start by showing sudo certbot certificates

If you are not using the certs requested by Certbot please delete them

sudo certbot delete --cert-name (name)

Where name is cert name from the certificates list

Thanks - I uninstalled certbot and manually deleted (rm) the CSR files.

Thanks - I had already uninstalled certbot and switched to acme.sh

and had also manually deleted the 523 CSR files from /etc/letsencrypt/csr (keeping the last one) - using direct 'rm'
.
There were also 524 key files in /etc/letsencrypt/keys and I removed most of them too

I only noticed because I backup my /etc folder and could see constant file change activity in the backup logs.

The systemctl certbot.timer is deactivated and masked and there is no cronjob.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.