Old files in csr and keys folders

Hi all,

Is it necessary to keep all files in the csr and keys folders? There are more than 100,000 files occupying about 500 MB in each of them. Can I delete the older ones and how old must they be?

Thank you very much

1 Like

You don’t provide enough information to clearly define the problem nor to give any definite advice.
Are you using your own copy of boulder?
Are you forcibly renewing all your certs (including those that are unexpired)?
I can’t understand how you could have 100,000 cert related files…

But I will attempt to answer your question:"Can I delete the older ones and how old must they be?"
I would say, csr files can be deleted after they have been used.
Key files, however, depend on the type of key:
Public keys could be deleted anytime after they have expired.
Private keys should only be deleted when they are no longer in use - that depends on your use; not a specific timeframe.
Account keys should probably not be deleted - unless, for instance, they are to be replaced with a stronger key.

Maybe you’re using Certbot?

Deleting files from /etc/letsencrypt/csr and /etc/letsencrypt/keys should not cause any trouble. These particular files are not used by Certbot at all and are only intended for the human user’s reference (!), yet almost no users ever have a reason to refer to these. I have even proposed that we should stop keeping them entirely.

You might want to use shred -u to delete the keys to decrease the chance that someone will find old keys on your hard drive in the future (which might be used to decrypt any recorded TLS sessions that used a non-Diffie-Hellman key exchange method).

You must have quite a lot of certificates in your environment!


Thank you for your answers!

No, I only have 3 domains plus 4 or 5 subdomains. But, until 3 days ago I forgot to cancel the automated requests for a deleted domain. Could this have caused this tremendous amount of files? Since I corrected this there are no new files occurring.

Hmmm, maybe so. Sounds like another reason that we should consider not saving this information (which again is not used internally by the Certbot software and which very few users ever find a use for).

Well, sounds reasonable. I’ll update this thread if such a strange behavior occurs again.

Thank you very much for your support!

Roughly how many certificates did you have for the deleted domain, and how often is “certbot renew” configured to run?

If you had 1 certificate and run it once a day, it should only create 2 files per day, or 730 per year.

If you had, say, 15 certificates, and run it every 6 hours, it could create almost 45,000 files per year…

Edit: That still doesn’t approach your situation of more than 200,000 files, though.

Very strange. Until the mentioned 3 days ago it was configured to run once a month. I changed this to once every two months.

The cron job ‘renew-lets-encrypt.sh’ itself is running twice a month.

BTW, I use Ubuntu 16.04 on a virtual server, hosted by a professional webhoster, and configure the certificates stuff in Virtualmin. Everything is updated regularly.

Let me know if I can get you more information.

I would be curious about the file creation dates and sizes, but I guess you’ve already deleted them!

Sorry for the late answer!

Yes, I did and now only very few files exist. Too bad…

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.