Delete old files in /etc/letsencrypt/archive

I am using letsencrypt certificates on my server since some months and basically it is working.
Server OS is Suse 42.1.

Now I see in the folder /etc/letsencrypt/archive/my_server.com a lot of files:
-rw-r–r-- 1 root root 2151 12. Jun 18:35 cert1.pem
-rw-r–r-- 1 root root 2179 16. Jun 09:48 cert2.pem
-rw-r–r-- 1 root root 2374 25. Aug 17:52 cert3.pem
-rw-r–r-- 1 root root 2374 26. Okt 04:26 cert4.pem
-rw-r–r-- 1 root root 1647 12. Jun 18:35 chain1.pem
-rw-r–r-- 1 root root 1647 16. Jun 09:48 chain2.pem
-rw-r–r-- 1 root root 1647 25. Aug 17:52 chain3.pem
-rw-r–r-- 1 root root 1647 26. Okt 04:26 chain4.pem
-rw-r–r-- 1 root root 3798 12. Jun 18:35 fullchain1.pem
-rw-r–r-- 1 root root 3826 16. Jun 09:48 fullchain2.pem
-rw-r–r-- 1 root root 4021 25. Aug 17:52 fullchain3.pem
-rw-r–r-- 1 root root 4021 26. Okt 04:26 fullchain4.pem
-rw-r–r-- 1 root root 3272 12. Jun 18:35 privkey1.pem
-rw-r–r-- 1 root root 3272 16. Jun 09:48 privkey2.pem
-rw-r–r-- 1 root root 3272 25. Aug 17:52 privkey3.pem
-rw-r–r-- 1 root root 3272 26. Okt 04:26 privkey4.pem

Is it safe to delete the older ones? I see that only the newest have got symlinks in the folder /etc/letsencrypt/live

Hi @fergru,

These files are the previous versions from each renewal operation. The design of Certbot keeps all of these by default, for example in case something goes wrong with the renewal, so that you can go back to an earlier version.

If you delete a version that’s older than the newest one, it should not break anything; the next_free_version() function in Certbot’s storage.py will keep counting from the highest number (so your next renewed certificate would still be cert5.pem, etc., even if you deleted cert1.pem and cert2.pem). However, I’m not sure that we’ve tested this. Maybe it should be a part of our automated tests to confirm that this doesn’t break anything.

1 Like

The files are all < 4kb in size so it would take thousands of renewals and certs’ before disk space ever became a problem. You can however safely delete the old ones except just keeping the very last one put into /archive/ so all the one’s ending in 2, 3, 4 etc but keeping then last / previous cert ending in 1.

Careful, the numbers increase with new versions (unlike log rotation in /var/log, say), so cert9.pem is more recent than cert1.pem. If you want to delete old ones, you’ll want to delete the ones with smaller numbers, not larger numbers!

2 Likes

My bad, yes indeed. I checked but was looking at the last modified dates in reverse.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.