How can i completely reinstall lets encrypt, delete all old certificates, and start fresh?


#1

Hello,

I have had a lot of stress as always with the console trying to get lets encrypt working how i want it. After lots of reinstalls, etc i finally had it ready to work, but then i got an error saying my domain has reached it certificate limit. I was wondering how i can COMPLETELY delete ALL of them, all Letsencrypt related files on server (i know of /etc, /var/lib, and /opt). Thank you very much.


Migrating from old letsencrypt to new certbot at UBUNTU
#2

Hi @casparwylie, as described in other threads here, deleting Let’s Encrypt files or certificates will not affect the rate limits. The rate limits are enforced on the CA based on the total number of certificates issued, not based on which certificates are in use (or in your possession or unrevoked).

Deleting your existing certificates or LE client installation will not allow you to get new or different certs any faster. The main certificate limit will reset after 7 days, regardless of what you do or don’t do:

In the future, you can try using --staging to get test certificates instead of production certificates (test certificates from the staging server don’t count against your production server rate limit), or --dry-run (starting in client version 0.4.0) to get test certificates without installing them (to verify that the CA would be willing to issue the certificates you request using the verification method you plan to use).


#3

@schoen Could you also describe which files to delete to completely remove all traces of letsencrypt from a system? This would be nice to know for quick testing using the --test-cert option.


#4

Warning: This will delete ALL certificates (including private keys), account keys, renewal configuration and log files. Don’t run this unless you have a good reason to!
You might also be interested in the config_changes or rollback subcommands for the apache plugin, allowing you to view or revert changes made to your apache configuration.

Off the top of my head, this should remove any traces:

rm -rf /path/to/your/git/clone/directory
rm -rf ~/.local/share/letsencrypt
rm -rf /etc/letsencrypt
rm -rf /var/log/letsencrypt
rm -rf /var/lib/letsencrypt

(Let me know if I missed anything!)


#6

There’s also a bunch of Python modules it depends on:

Depends On     : ca-certificates  python2-acme=0.4.2  python2-configargparse
                 python2-configobj  python2-cryptography  python2-pyopenssl
                 python2-mock  python2-parsedatetime  python2-psutil
                 python2-pyrfc3339  python2-pythondialog  python2-pytz
                 python2-requests  python2-setuptools  python2-six
                 python2-zope-component  python2-zope-interface

In my case, I can manage uninstalling with pacman in Arch Linux. What about for users who used the cloned-repo method? Do they also need to uninstall the Python modules? Or are those in ~/.local/share/letsencrypt?

I also just noticed ~/letsencrypt.log.


#7

The instructions were for a git clone-type installation specifically. If your distribution ships letsencrypt as a package, I would recommend using your package manager to uninstall the client (i.e. apt-get remove --purge letsencrypt for debian-based distributions).

I imagine pacman has something like --purge as well, but I’m not familiar with Arch.

Note that I didn’t attempt to uninstall any of the dependencies the letsencrypt-auto script installs through your package manager, because that depends on your distribution and could easily break things if you’re relying on one of those dependencies somewhere else.


#8

@pfg Oh, so letsencrypt-auto in fact detects and uses the OS’s package manager? In that case, the above dependency list might be helpful to someone. I wasn’t sure if the auto script was installing dependencies in a custom way (not using the OS’s package manager (in Linux at least)).

So, yeah, in my case with Arch Linux and using the --standalone plugin, completely removing traces of letsencrypt is like this:

sudo pacman -Rsun letsencrypt
sudo rm -rf /var/log/letsencrypt
sudo rm -rf /etc/letsencrypt
rm ~/letsencrypt.log

Note that this doesn’t handle changes made by webserver or apache plugins, only changes made by the standalone and manual methods with defaults which places things in /etc. If using webroot, we’ll have to clean those webroots too, if using apache we’ll need to clean those configs, etc, etc depending on the plugin used.


#9

Yep, letsencrypt-auto contains OS-specific bootstrap scripts which rely on the package manager to install dependencies. Additionally, it will install python packages in a virtual environment (~/.local/share/letsencrypt).