For "manual" DNS-challenge: Can we delete the seemingly "non core" files in /etc/letsencrypt (besides the 4, core *.pem files) and still properly function?

For “manual” DNS-challenge: Can we delete the seemingly “non core” files in /etc/letsencrypt (besides the 4, core *.pem files) and still properly function?

Details:

The only two files you actually need for a TLS server are privkey.pem and fullchain.pem from /etc/letsencrypt/live/<domain>/.

Don’t directly reference anything inside /etc/letsencrypt/archive, that’s Certbot’s internal state.

If you discard the rest of /etc/letsencrypt/ every time you issue a certificate, it means you are losing all of the other state used by Certbot - such as your Let’s Encrypt ACME account. Sure, you can just register a new account every time you go through this process, but it’s mildly impolite and seems otherwise pointless. Why not just keep it around?

2 Likes

Account registration is also rate limited. If you issue certificates frequently, registering new accounts and discarding them every time, you could run into problems.

1 Like

Does “properly function” include the ability to have Certbot renew the certificate? If so, then you also need /etc/letsencrypt/renewal and /etc/letsencrypt/accounts.