Remove all generated CSR to free disk space


#1

Hi!

Can I remove all CSR under the /etc/letsencrypt/csr/ directory?

Now my server provides web services for a hundred domains and the CSR directory contains a lot of files and consumes a lot of disk space. And I want to remove all files in that directory. Can I do it for expired and actual certificates and how can I distinguish these certificates?


Correct way to completely remove issued certificate(s) for a domain
#2

AFAIK there’s no need to keep those files since a new CSR is generated each time. A certificate can’t be older than 90 days so you can look up CSRs older than that time.

List all CSR files not modified during the past 91 days:
find /etc/letsencrypt/csr/ -type f -name ‘*.pem’ -mtime +91 -exec ls -lah {} ;

Delete all CSR files not modified during the past 91 days:
find /etc/letsencrypt/csr/ -type f -name ‘*.pem’ -mtime +91 -exec rm -f {} ;


#3

None of the files archived in /etc/letsencrypt/csr are ever reused by Certbot. They’re essentially just there for reference purposes; there’s no harm to Certbot in deleting them. (I’ve just double-checked this fact in the code base.)

(Note that the same is not true for some other parts of /etc/letsencrypt!)

Potentially we should make Certbot stop saving these entirely, since it’s not clear that many users are benefiting from their presence.


#4

Thanks for your reply and command examples. But what about CSRs which are younger than 91 days? Why I can’t remove them?


#5

@localhorst probably assumed that CSRs that relate to unexpired certificates remain relevant. But Certbot doesn’t use them for anything.


#6

@schoen, thanks for your answer!

I think it will be good if we won’t store unnecessary files in /etc/letsencrypt. Could you stop saving CSRs by certbot (maybe with a special option)? Or I can clear /etc/letsencrypt/csr right after generating new certs?


#7

You can. But seriously, why do you want to? They don’t take any significant amount of space. Looking on my server, the largest CSRs I’m seeing are under 1.5 KB each. A thousand of those would take up 1.5 MB. Just how storage-constrained is your environment for this to be a concern?


#8

@danb35, some stats from my test server which serves three hundred domains:

# ll /etc/letsencrypt/csr | wc -l
29976
# du -sh /etc/letsencrypt/csr
119M    /etc/letsencrypt/csr

And earlier it took up about 3G.

I know there is a bug in my configuration and I’m solving it now. But in any case, I should painless clear the CSR folder on all test and prod servers, on which certs are generated.

Also, I think we shouldn’t store unused files at all. But I don’t know all use-cases, so simple clearing with rm command will be good for me.


#9

So I think the right way forward is to completely stop storing them.

I will try to move ahead with

where I previously suggested not storing the CSRs and not archiving the old private keys in keys (which also aren’t used!).


#10

I’ve also just posted

to discuss this and a related issue (hopefully only with users who already know what those files are!).