Better organizing letsencrypt files - instead of putting them in /etc/letsencrypt


How do I put letsencrypt files for specific domain(s) into a custom directory? (I don’t want to have anything important in /etc/letsencrypt.)

What I’m looking for is something like this:

certbot certonly --webroot -w /www/example_com/public \ -d -d \ --put-all-related-files-into /www/example_com/letsencrypt_files

This would be great for keeping things organized, isolated, and “where they belong”.


I would personally advise against this. If you do not properly secure those folders which will now be inside a website folder, you easily give access to anyone on the outside to all your LE information for that site including your privkey.pem and all your .conf files … basically everything.


It looks like I could achieve this by using a Docker container like this one:

This way I can choose the folder to use for each domain.

Thanks for warning me about the permissions. I’ll try to be careful with those.


I’m leaving this thread open, in case any of you want to give me further warnings in case I’m headed for a total disaster - or if you have alternative methods of doing this.


make sure you have in each and every vhost a location directive (example only)

location /letsencrypt_files { 
           deny  all;

also look at using global rules in a single file that gets applied to every host then you have one place toe make changes

so have a file like restrictions.conf in /etc/nginx/custom.d/ and in every vhost you simply include that include file include /etc/nginx/custom.d/restrictions.conf;
Then you can have all your default location directives all in one place


Just denying HTTP access is still not enough if the web server itself is compromised. The proper way is for the web server to load the private key, then drop privileges and run as a user that has no access to the private key file.

I completely fail to understand the motivation here. Why is it bad if important things live in /etc? Also your sense of where things “belong” is way off.


Thanks. I will make sure to chown it to root:root.

My goal is to keep all relevant files inside my ~ for more easier backups. I want everything outside ~ to be discardable. This way it’s easier to remember what I need to backup - only stuff inside ~.

Does this make sense to anyone here? :slight_smile:


I’d rather include /etc/letsencrypt in the backup. It’s just a path.


Not to me… There are a lot of things you’d like to backup I recon. Moving everything to a single location defies the POSIX rules about the Filesystem Hierarchy Standard.

I would recommend a better backup strategy.


No, it really doesn’t. /etc/ has historically been home to a lot of important configuration stuff, so to ignore it in your backups is unwise.


Hi @biggerssl432

There have been a few suggestions around good practices however to answer your question

Review the documentation:

I believe that is what the paths arguments are for.

Please note: I haven’t used or tested these

Arguments changing execution paths & servers

–cert-path CERT_PATH
Path to where cert is saved (with auth --csr),
installed from, or revoked. (default: None)
–key-path KEY_PATH Path to private key for cert installation or
revocation (if account key is missing) (default: None)
–fullchain-path FULLCHAIN_PATH
Accompanying path to a full certificate chain (cert
plus chain). (default: None)
–chain-path CHAIN_PATH
Accompanying path to a certificate chain. (default:

The renewal .conf files appear to keep a track of where the cert and private key are



This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.