Allow Custom Archive Folder Location

We currently run certbot in an AWS Lambda function with an EFS volume for storage. We place an NFS mount to the Let's Encrypt config directory for any webservers that require direct access to these certificates. This is a very convenient configuration for ephemeral Docker environments.

I would like the ability to define restricted access to domain-specific directories rather than exposing the entire config folder (i.e. mount /etc/letsencrypt/config/live/<DOMAIN> instead of /etc/letsencrypt/config). Because the symlinks under the live domain directory point to ../../archive/<DOMAIN>, our containers can't follow the link to access the certificate/private key contents.

This strategy would work if I had the ability to override the default directory structure and place the archive folder in a subdirectory of the live domain folder (e.g. configure /etc/letsencrypt/config/live/<DOMAIN>/archive instead of /etc/letsencrypt/config/archive/<DOMAIN>). I noticed that the configuration files under the renewal directories specify a value for archive_dir, however there isn't a CLI flag allowing this to be passed in explicitly when issuing a new certificate.

Would it be possible to allow an optional CLI flag, --archive-dir, to override the default behavior?



One alternative to consider would be setting a deploy-hook globally in /etc/letsencrypt/cli.ini which copies the certificates to another structure:

#!/usr/bin/env bash
DESTINATION=/path/to/dir/$(basename ${RENEWED_LINEAGE})
mkdir -p ${DESTINATION}
cp ${RENEWED_LINEAGE}/{privkey.pem,fullchain.pem} ${DESTINATION}/

then you could NFS mount that.


there are some hidden path config option for which directory certbot to lookup ( certbot -h all to see them)

Flags for changing execution paths & servers

--cert-path CERT_PATH
Path to where certificate is saved (with auth --csr), installed from, or revoked. (default:
--key-path KEY_PATH Path to private key for certificate installation or revocation (if account key is missing)
(default: None)
--fullchain-path FULLCHAIN_PATH
Accompanying path to a full certificate chain (certificate plus chain). (default: None)
--chain-path CHAIN_PATH
Accompanying path to a certificate chain. (default: None)
--config-dir CONFIG_DIR
Configuration directory. (default: /etc/letsencrypt)
--work-dir WORK_DIR Working directory. (default: /var/lib/letsencrypt)
--logs-dir LOGS_DIR Logs directory. (default: /var/log/letsencrypt)
--server SERVER ACME Directory Resource URI. (default:


If the suggestions from @_az and @orangepizza don't solve your problem (and I hope they do!), I would suggest following up with a request at


Another approach is to store your renewed certs in a secret manager/vault then get your containers or VMs etc to pull from that source on startup and as regular maintenance. This means you have least privileged access to specific certs and a single point of truth which is also not subject to potentially brittle long-term connectivity.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.