I've configured certbot to generate and renew SSL certificates. Now I'm wiring logs to an external aggregator and I realised that plain certificates have been printed in the log files in /var/log/letsencrypt/.
If I try a dry-run sudo certbot renew --dry-run I can find the following in the logs:
HTTP 200
Server: nginx
Date: Mon, 17 May 2021 17:03:10 GMT
Content-Type: application/pem-certificate-chain
Content-Length: 5763
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-staging-v02.api.letsencrypt.org/acme/cert/fad1c71f16bfd3347724907fb0fcaa101f8b/1>;rel="alternate"
Replay-Nonce: 0003YhKZdyLxPhNwsq5shqbKFhpxBsPqyL__TDJMSCf5DXs
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Does this only happens on dry runs? If not, it seems to be the way certbot works, but is it a safe practice?
Certificates are public anyway. Every client that connects to your server gets a copy. They are then signed with your private key to prove that you are the owner. Security only depends on keeping the private keys – well, private, and those are not included in the log files.
PS: Certificates are also sent to so called certificate transparency (CT) logs during creation. Those logs are public as well and everyone who knows your domain name can download your certificate from there.