Delete extra cert files after adding the cert to storage #155
Conversation
gohai
force-pushed
the
delete-dehydrated-cert-files
branch
from
be2c0db to
fd915ca
Compare
dehydrated creates 5 files per domain, per renewal. While they are not big in size, a seizable number of (sub-) domains can this silently exhaust the number of available inodes.
gohai
force-pushed
the
delete-dehydrated-cert-files
branch
from
fd915ca to
1a1a1fb
Compare
|
@gohai: Sorry for the delay in getting to this, but many thanks for submitting this! So we do currently have some code in place that could potentially use these dehydrated certificate files as something of a backup if something goes wrong with the storage: However, in thinking about all this again, I think that approach probably stemmed from when I was doing early local testing/debugging or just paranoid about the stability of things. But now I'm not sure we really need to keep that code around, since that case really shouldn't be hit, and even if it was, it's not the end of the world (the approach also wouldn't be very effective on a multi-server setup). So I think all this looks good, I'm just getting the CI test suite to run again (in CircleCI 2.0, since our old 1.0 test suite is no longer running). After I get that working, I'll look to merge this in and cleanup some of that related code that this would make unnecessary. |
|
Thanks for looking into this @GUI! I thought along the same lines: in a multi-server setup you would not have the dehydrated files on all instances, which made the idea of deleting them locally (once they are in storage) more appealing. As for the code that attempts to re-upload dehydrated files to storage: I think this could potentially still have some merit in the case that |
|
This is finally part of a release in v0.13.0 that's now published. Thanks! |
dehydrated creates 5 files per domain, renewal. While they are not big in size, a seizable number of (sub-) domains can silently exhaust the number of available inodes on a system this way.