Proper housekeeping of /etc/letsencrypt

I see that google says read this article about how to remove old files from /etc/letsencrypt:

But the answer was "it's ok to remove {csr,keys}" just don't touch anything else.

I would like to know if I can remove ALL files from /etc/letsencrypt if they are older than 90 days.

Can I use a script like this:

#!/bin/bash

files=/etc/letsencrypt
if [[ -d $files ]]; then
  /usr/bin/find $files -ctime +90 -not -type d -delete > /dev/null
fi

The info in For "manual" DNS-challenge: Can we delete the seemingly "non core" files in /etc/letsencrypt (besides the 4, core *.pem files) and still properly function? makes it "seem" that I could do so.

Please let me know if the above script would break LetsEncrypt. Thx!

No, newer version of Certbot will keep your .../archive/.. folder smaller on its own. And, the ACME Account registration and Certbot renewal config files are useful. I am pretty sure Certbot uses that renewal config file even when purely manual options used (especially if using recommended hooks). I doubt certbot certificates command would work without that.

What version of Certbot are you using?

4 Likes