Is it possible to disable automatic nginx backups when issuing certs?

We’re issuing certs using the nginx plugin. Everything is working great there. However, whenever we issue a cert, it appears that certbot automatically backs up our entire nginx sites-available folder to /var/lib/letsencrypt/backups/[number].[number]/.

We have a fairly large number of domains so eventually after so many issuances, the filesystem inodes become exhausted and it results in the disk acting like it’s full. This causes all kinds of strange behavior until we delete some of those backups to free up inodes.

We already version our nginx files using git so these backups are unnecessary. Is it possible to disable this functionality? I don’t see anything about these automatic backups in the documentation or a possible way to disable them.

I’ve also noticed that issuing a cert takes much longer than I’d expect. I am beginning to wonder how much of that time is spent backing up all of our nginx files each time we issue a cert. It would be great if a side-effect of disabling this was faster cert issuances.

Thanks for your time and thanks to LetsEncrypt for providing such a great service.

Reading over the Certbot source code, it doesn’t look like there is any way to disable the reverter. So this probably belongs in a feature request: https://github.com/certbot/certbot/issues

I think if your nginx configuration uses so many inodes, it could potentially be better to use a design your use of Certbot to be completely stateless, from the perspective of nginx. In other words, using certonly instead of the --nginx plugin.

To do this:

  • Use one catch-all location /.well-known/acme-challenge/ requests to a centralized location, then use --webroot.
  • Centralized HTTPS virtualhost that uses parameterized $ssl_certificate $ssl_certificate_key variables (introduced nginx 1.15.9).

A different way might be to just keep less backups. How many days of backups can you keep before inode exhaustion?

Maybe you can make a cron task to delete backup directories older than e.g. 7 days?

find /var/lib/letsencrypt/backups -maxdepth 1 -mtime +7
3 Likes

Thank you so much for the well thought out reply. This definitely gives me some options to consider. Short-term I’ll probably just automate a deletion of the backups like you said. Long-term I’ll consider the other options.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.