I'm using certbot 2.1.0 (Debian 12) to obtain certificates, and I'd like to change the save / storage directory to include Let's Encrypt, like so:
/etc/certbot/live/$DOMAIN/letsencrypt.org/
I can't create it in preflight as certbot states the live directory exists, and exits. Can I provide certbot with one or more flags to force the directory?
This is what I'm doing at the moment, which doesn't work (in this example, $DOMAIN is the same as $fqdn):
Successfully received certificate.
Certificate is saved at: /etc/certbot/live/[$fqdn]/fullchain.pem
Key is saved at: /etc/certbot/live/[$fqdn]/privkey.pem
Usually it's easiest to just let certbot manage its own files, and add a --deploy-hook to run a script to copy those files to wherever you want, with whatever permissions you want, and doing whatever service reconfiguration or reloading that's needed.
Yeah, it's not always obvious just what options of certbot are useful for what. I think the options of specifying a path are more for cases where you're handling certificate lifecycle separately and giving a CSR directly to just use certbot for the ACME requests, rather than the more common case of certbot managing and automatically renewing certificates as needed. When certbot is managing things, then it's best to just leave /etc/letsencrypt alone and let it manage it however it wants to, and just script copies from there as needed using the deploy hook (be sure to look at the environment variables --deploy-hook can set in the documentation).
Always nice to meet a fellow Pete Cooper! Good luck.
There is another good alternative that may work for this usecase. It seems that @petecooper might be trying to shard certificates by ACME server; if that is the situation - --config-dir=/path/to/directory will overwrite /etc/letsencrypt - so the sharding happens on the entire configuration directory, not within it.
Certbot will keep the same format, but you can essentially have two (or more) completely differently "installations" using the same installed binary. You will need separate cron-jobs for each --config-dir flag, but this will allow a subscriber to isolate letsencrypt certs from others.
If this is not what you're trying to do, disregard.
Thanks @jvanasco - what I ended up doing (successfully, so far at least) is changing the working directory for each of Let's Encrypt & ZeroSSL (with provision to add others down the line).
Rather than /etc/certbot/live/$DOMAIN/letsencrypt.org/ per my OP, I landed on --config-dir /etc/certbot/letsencrypt.org/, which takes care of its own scaffolding from there. It's not perfect, but it allows me to have Let's Encrypt and ZeroSSL on the same system without clashing.