Old configuration cleanup

JIV · February 19, 2020, 3:52pm

Hello,
I have setup my SSL cert correctly, no problem there. I just want to cleanup my /etc/letsencrypt folder.

I got email about using old v1 ACME protocol, so I looked into my certbot and found out that I am using some old version - certbot version: 1.2.0. So I installed new one from apt repository. It upgraded my old configuration and seems to be working fine.
But now I have maybe some old files in /etc/letsencrypt/configs/. Files there matches domain name. Are they still used by new certbot 0.31.0?
I think they are not loaded because I have there config “rsa-key-size = 4096” and new keys are only 2k size.
Can I remove them?

Is new configuration stored in /etc/letsencrypt/renewal ? In file [domain].conf?
I tried to look at https://certbot.eff.org/docs/using.html#configuration-file but its pretty vague.

Thanks,
JIV

JuergenAuer · February 19, 2020, 4:02pm

Hi @JIV

use

certbot certificates

to find your certificates. There you see your exact folder names.

Then use

certbot delete [certificatename]

to delete all not longer used certificates.

schoen · February 19, 2020, 11:19pm

Note that Certbot 1.2.0 is a newer version than 0.31.0. All 1. versions are newer than all 0. versions.

JIV · February 20, 2020, 8:08am

I seriously thought there was some change in release numbers. Anyway it means Ubuntu PPA is much much older than my own standalone version.
Is it wrong use such old version? Maybe that PPA is no longer maintained?

Anyway, even after using certbot delete [certificatename], config files are still there. I think they are orphaned. Do you suppose to have any files under /etc/letsencrypt/configs ?

schoen · February 20, 2020, 11:11pm

Are you sure it’s /etc/letsencrypt/configs and not /etc/letsencrypt/renewal?

JIV · February 21, 2020, 2:30pm

Thats the thing, I have both And I think configs is from some very old installation.

It contains this line:
# the current closed beta (as of 2015-Nov-07) is using this server
server = https://acme-v01.api.letsencrypt.org/directory

schoen · February 21, 2020, 9:40pm

Wow! That is an old configuration.

I don’t believe a current Certbot has any reason to look at that, unless you tell it to with the -c option.

mnordhoff · February 24, 2020, 10:18pm

There seem to be various very old tutorials referencing /etc/letsencrypt/configs/ and also tutorials referencing that comment. E.g. this one:

https://docs.fusionpbx.com/en/latest/getting_started/lets_encrypt.html

Which mostly talks about Dehydrated or something and then switches to Certbot near the end.

It does explicitly tell you to create a file like that and then specify the -c option.

/etc/letsencrypt/configs/ has to be something that you manually created, or that may have been created by some sort of script or control panel or something that you were using. They aren’t part of Certbot itself and probably never were. Before deleting them, you’d have to determine why they exist and if you’re still using them.

Edit:

As another example, there’s this tutorial:

gist.github.com

https://gist.github.com/silpol/a1f6e4ff001f6856060055b1bb0cfc04

Install Lets Encrypt.md

# Install certbot
https://certbot.eff.org/#ubuntutrusty-other

# Config certbot

- `mkdir -p /etc/letsencrypt/configs`
- Create the file: `/etc/letsencrypt/configs/domain.com.conf`
- `mkdir -p /var/www/letsencrypt/`

# Configure nginx

This file has been truncated. show original

domain.com.conf

# the domain we want to get the cert for;
# technically it's possible to have multiple of this lines, but it only worked
# with one domain for me, another one only got one cert, so I would recommend
# separate config files per domain.
domains = domain.com

# increase key size
rsa-key-size = 2048 # Or 4096

# the current closed beta (as of 2015-Nov-07) is using this server

This file has been truncated. show original

letsencrypt-autoupdate.sh

#!/bin/sh

# update certs
cd /root/

for conf in $(ls /etc/letsencrypt/configs/*.conf); do
  ./certbot-auto --renew-by-default --config "$conf" certonly
done

# make sure nginx picks them up

This file has been truncated. show original

Which also tells you to create a cron job that runs a shell script that also relies on those config files.

(And it says to run it precisely at midnight on the first of the month! Do not do that.)

If you’re relying on something like that, you have to switch to a better/different/modern setup before you can delete them.

system · March 25, 2020, 10:19pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certs removed from /etc/letsencrypt/live /etc/letsencrypt/archive (but still exist in /etc/letsencrypt/renewal) Help	5	1573	January 29, 2021
Certbot 2.3.0 Release Client dev	2	1247	March 16, 2023
Renewing certs on this custom setup (strange old setup) Help	3	619	June 8, 2020
How do I clear the old data from the / etc / letsencrypt directory? Help	5	9278	April 4, 2021
How to clear out .conf files that "might not work"? Help	16	3430	April 2, 2020

Old configuration cleanup

Related topics