Remove all generated CSR to free disk space

vkulakov · November 23, 2018, 9:10am

Hi!

Can I remove all CSR under the /etc/letsencrypt/csr/ directory?

Now my server provides web services for a hundred domains and the CSR directory contains a lot of files and consumes a lot of disk space. And I want to remove all files in that directory. Can I do it for expired and actual certificates and how can I distinguish these certificates?

localhorst · November 23, 2018, 10:32pm

AFAIK there’s no need to keep those files since a new CSR is generated each time. A certificate can’t be older than 90 days so you can look up CSRs older than that time.

List all CSR files not modified during the past 91 days:
find /etc/letsencrypt/csr/ -type f -name ‘*.pem’ -mtime +91 -exec ls -lah {} ;

Delete all CSR files not modified during the past 91 days:
find /etc/letsencrypt/csr/ -type f -name ‘*.pem’ -mtime +91 -exec rm -f {} ;

schoen · November 24, 2018, 4:43am

None of the files archived in /etc/letsencrypt/csr are ever reused by Certbot. They’re essentially just there for reference purposes; there’s no harm to Certbot in deleting them. (I’ve just double-checked this fact in the code base.)

(Note that the same is not true for some other parts of /etc/letsencrypt!)

Potentially we should make Certbot stop saving these entirely, since it’s not clear that many users are benefiting from their presence.

vkulakov · November 24, 2018, 8:09pm

Thanks for your reply and command examples. But what about CSRs which are younger than 91 days? Why I can’t remove them?

schoen · November 24, 2018, 8:17pm

@localhorst probably assumed that CSRs that relate to unexpired certificates remain relevant. But Certbot doesn’t use them for anything.

vkulakov · November 24, 2018, 8:20pm

@schoen, thanks for your answer!

I think it will be good if we won’t store unnecessary files in /etc/letsencrypt. Could you stop saving CSRs by certbot (maybe with a special option)? Or I can clear /etc/letsencrypt/csr right after generating new certs?

danb35 · November 24, 2018, 8:25pm

You can. But seriously, why do you want to? They don’t take any significant amount of space. Looking on my server, the largest CSRs I’m seeing are under 1.5 KB each. A thousand of those would take up 1.5 MB. Just how storage-constrained is your environment for this to be a concern?

vkulakov · November 24, 2018, 8:39pm

@danb35, some stats from my test server which serves three hundred domains:

# ll /etc/letsencrypt/csr | wc -l
29976
# du -sh /etc/letsencrypt/csr
119M    /etc/letsencrypt/csr

And earlier it took up about 3G.

I know there is a bug in my configuration and I’m solving it now. But in any case, I should painless clear the CSR folder on all test and prod servers, on which certs are generated.

Also, I think we shouldn’t store unused files at all. But I don’t know all use-cases, so simple clearing with rm command will be good for me.

schoen · November 26, 2018, 12:01am

So I think the right way forward is to completely stop storing them.

I will try to move ahead with

where I previously suggested not storing the CSRs and not archiving the old private keys in keys (which also aren’t used!).

schoen · November 26, 2018, 12:12am

I've also just posted

to discuss this and a related issue (hopefully only with users who already know what those files are!).

system · December 26, 2018, 12:12am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.