LE Renew Job Requests Every Certificate We've Ever Requested :0

Okay, I have a Traefik daemonset in k8s with a Consul kv backend (certs stored in ..kv/traefik/acme/account). Hit an issue where the service account for LE DNS challenge was mounted as a volume instead of a file and we just hit a little snag over an expired certificate. Luckily we caught it and recovered fairly quickly, but the postmortem has me a little confused. We tuned our loglevel to INFO and watched the cert renewal process from the cluster renewal. Looks like traefik holds on to and renews any certificate it's ever been issued. Not sure if this is a side effect of the KV cert storage location, but would love to chat and figure out how to remedy that. Also, anyone know if that's still the case in 2.0?

All of our services are picked up from the --kubernetes flag. DNS challenges all passed, we got all the certs renewed, but I am sure there are 25-30 old subdomains in there that I would like to purge to prevent requesting them in the future, but don't know how without purging all of them.

Any help is greatly appreciated.

Edit: @daniel.tomcej or @ldez I don't mean to be pushy, but I would truly appreciate a reply of some sort. Even if that's a big IDK.

@Jakob,

Traefik renews all of its ACME certificates to keep them from expiring.

This is intended behavior.

Due to Traefik's stateless nature, failure to do so would result in hitting LetsEncrypt limits far more often.

If you are no longer using certificates, you can manually remove them from the store, and they will no longer be re-requested/renewed.

I was having a hard time figuring out how to extract a single cert, but your answer guided my hand. Thank you Daniel.

Just in case it helps someone else:

curl -s localhost:8500/v1/kv/traefik/acme/account/object?raw | gzip -dc | jq -r '.DomainsCertificate.Certs[] | select(.Domains.Main=="'<domain>'") | .Certificate'