Infinite ssl rollover trail

I’ve finally gone live with sympl, retiring an olde symbiosis/bytemark/bigV machine this morning. A disgraceful delay but yay! :upside_down_face:

So, a starter for 10. I’ve accumulated several thousand /srv/*/config/ssl/sets directories with expired certs. It would be handy to have automatic removal/rotation.

For now, testing one of the sites shows that manual deletion of the old sets doesn’t affect rollover [and the new set starts at ‘current’ target +1, not ‘0’].

Environment :deciduous_tree:

  • Sympl Version [11]:
  • Sympl Testing Version [no]
  • Debian Version [bullseye]:
  • Hardware Type [virtual]
  • Hosted On [mythic-beasts]

I have exactly 8 sets in each domain, with the highest numbered typically in the range 20-30.
I’m fairly sure Sympl removes the older ones automatically, in a cron job somewhere.

Hey, thanks, I wasn’t expecting that. I can’t find the file carrying out the cleanup but if automagic doesn’t happen before or with the next rollover, I guess I could move ‘current’ files to sets/0 and try sympl-ssl --select 0.

You should be fine to just remove the non-current ones as it’ll look for the highest number and increment it - a future version of sympl-ssl will clean out old ones automatically, but generally you should be fine.

Thanks. I went down the copy current/* to set/0 and sympl-ssl --select 0 route before deleting the extraneous sets - to make it easier to keep track of updates. What I hadn’t realised is that the several thousand directories were largely a result of the certs getting updated every day for months on end under symbiosis. I’m surprised that rate-limiting didn’t kick in. Anyway, it’s behaving as expected now and Let’s Encrypt don’t seem to have missed me. :wink: