Can I change certificate location with `certbot` flags?

I'm using certbot 2.1.0 (Debian 12) to obtain certificates, and I'd like to change the save / storage directory to include Let's Encrypt, like so:

/etc/certbot/live/$DOMAIN/letsencrypt.org/

I can't create it in preflight as certbot states the live directory exists, and exits. Can I provide certbot with one or more flags to force the directory?

This is what I'm doing at the moment, which doesn't work (in this example, $DOMAIN is the same as $fqdn):

sudo /usr/bin/certbot \
certonly \
--agree-tos \
--cert-name "$fqdn" \
--chain-path /etc/certbot/live/"$fqdn"/letsencrypt.org/acme/ \
--config-dir /etc/certbot/ \
--domains "$fqdn" \
--fullchain-path /etc/certbot/live/"$fqdn"/letsencrypt.org/acme/ \
--key-path /etc/certbot/live/"$fqdn"/letsencrypt.org/acme/ \
--no-eff-email \
--register-unsafely-without-email \
--rsa-key-size 2048 \
--server https://acme-v02.api.letsencrypt.org/directory \
--webroot \
--webroot-path "$www_prefix"/www/heartbeat/_well-known

This results in:

Successfully received certificate.
Certificate is saved at: /etc/certbot/live/[$fqdn]/fullchain.pem
Key is saved at:         /etc/certbot/live/[$fqdn]/privkey.pem

I've read User Guide — Certbot 3.1.0 documentation but I'm missing the secret sauce to make this work (or, it's not possible).

I'd really appreciate any advice you have. Thank you.

Usually it's easiest to just let certbot manage its own files, and add a --deploy-hook to run a script to copy those files to wherever you want, with whatever permissions you want, and doing whatever service reconfiguration or reloading that's needed.

5 Likes

Ah - good idea, I didn't think of that. Thanks @petercooperjr - much appreciated!

6 Likes

Yeah, it's not always obvious just what options of certbot are useful for what. I think the options of specifying a path are more for cases where you're handling certificate lifecycle separately and giving a CSR directly to just use certbot for the ACME requests, rather than the more common case of certbot managing and automatically renewing certificates as needed. When certbot is managing things, then it's best to just leave /etc/letsencrypt alone and let it manage it however it wants to, and just script copies from there as needed using the deploy hook (be sure to look at the environment variables --deploy-hook can set in the documentation).

Always nice to meet a fellow Pete Cooper! Good luck.

4 Likes

:saluting_face:

There are a few of us around - I know of an author, a fiddler, a broadcaster…it's a quality club to be in!

5 Likes

There is another good alternative that may work for this usecase. It seems that @petecooper might be trying to shard certificates by ACME server; if that is the situation - --config-dir=/path/to/directory will overwrite /etc/letsencrypt - so the sharding happens on the entire configuration directory, not within it.

Certbot will keep the same format, but you can essentially have two (or more) completely differently "installations" using the same installed binary. You will need separate cron-jobs for each --config-dir flag, but this will allow a subscriber to isolate letsencrypt certs from others.

If this is not what you're trying to do, disregard.

5 Likes

Thanks @jvanasco - what I ended up doing (successfully, so far at least) is changing the working directory for each of Let's Encrypt & ZeroSSL (with provision to add others down the line).

Rather than /etc/certbot/live/$DOMAIN/letsencrypt.org/ per my OP, I landed on --config-dir /etc/certbot/letsencrypt.org/, which takes care of its own scaffolding from there. It's not perfect, but it allows me to have Let's Encrypt and ZeroSSL on the same system without clashing.

3 Likes

Sounds good. It seemed like that's what you were doing.

Small bit of advice: drop a quick README.txt in that directory that details how/why this departs from a normal installation.

5 Likes

Thanks for the guidance @jvanasco - much appreciated.

2 Likes