Certbot saves some old files in /etc/letsencrypt/keys, /etc/letsencrypt/csr, and /etc/letsencrypt/archive for various purposes. We don’t document these directories and we don’t encourage users to use them (or to modify them, which can cause problems sometimes). They date to a time when Certbot was more experimental and when we weren’t sure how automated it would be.
The answer turned out to be “very automated”, and we’ve been considering saving less old information in these directories.
I would like to know if any users who happen to already be aware of and to understand exactly what’s saved in these directories have made use of these files somehow.
(If you don’t know what’s saved in these directories, please don’t take this as an encouragement to poke around in them…)
The issue above doesn’t propose removing archive entirely, just shredding privkey1 after privkey2 becomes current, etc. This might also happen only when there is no change in domain name coverage in the certificate, in order to ensure that the archival value is unaffected.