Can I remove all CSR under the /etc/letsencrypt/csr/ directory?
Now my server provides web services for a hundred domains and the CSR directory contains a lot of files and consumes a lot of disk space. And I want to remove all files in that directory. Can I do it for expired and actual certificates and how can I distinguish these certificates?
None of the files archived in /etc/letsencrypt/csr are ever reused by Certbot. They’re essentially just there for reference purposes; there’s no harm to Certbot in deleting them. (I’ve just double-checked this fact in the code base.)
(Note that the same is not true for some other parts of /etc/letsencrypt!)
Potentially we should make Certbot stop saving these entirely, since it’s not clear that many users are benefiting from their presence.
I think it will be good if we won’t store unnecessary files in /etc/letsencrypt. Could you stop saving CSRs by certbot (maybe with a special option)? Or I can clear /etc/letsencrypt/csr right after generating new certs?
You can. But seriously, why do you want to? They don’t take any significant amount of space. Looking on my server, the largest CSRs I’m seeing are under 1.5 KB each. A thousand of those would take up 1.5 MB. Just how storage-constrained is your environment for this to be a concern?