My domain is: darwin.pragmatika.net
I ran this command:
sudo apt update \
&& sudo rm -rf \
/opt/eff.org/certbot/venv/ \
/opt/certbot/ \
&& sudo git clone --depth 1 https://github.com/certbot/certbot /opt/certbot/ \
&& heartbeatfqdn=$(cat /etc/fqdn) \
&& read -p 'Email address for renewal alerts (e.g. www@example.com): ' certbotemail \
&& sudo /opt/certbot/certbot-auto \
certonly \
--agree-tos \
--cert-name $heartbeatfqdn \
--cert-path /etc/certbot/live/$heartbeatfqdn/ \
--chain-path /etc/certbot/live/$heartbeatfqdn/ \
--domains $heartbeatfqdn \
--dry-run \
--email $certbotemail \
--fullchain-path /etc/certbot/live/$heartbeatfqdn/ \
--key-path /etc/certbot/live/$heartbeatfqdn/ \
--must-staple \
--no-eff-email \
--rsa-key-size 4096 \
--server https://acme-staging-v02.api.letsencrypt.org/directory \
--staple-ocsp \
--webroot \
--webroot-path /var/www/heartbeat/_well-known \
&& sudo /opt/certbot/certbot-auto \
certonly \
--agree-tos \
--cert-name $heartbeatfqdn \
--cert-path /etc/certbot/live/$heartbeatfqdn/ \
--chain-path /etc/certbot/live/$heartbeatfqdn/ \
--domains $heartbeatfqdn \
--email $certbotemail \
--fullchain-path /etc/certbot/live/$heartbeatfqdn/ \
--key-path /etc/certbot/live/$heartbeatfqdn/ \
--must-staple \
--no-eff-email \
--rsa-key-size 4096 \
--server https://acme-v02.api.letsencrypt.org/directory \
--staple-ocsp \
--webroot \
--webroot-path /var/www/heartbeat/_well-known
It produced this output:
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
IMPORTANT NOTES:
- The dry run was successful.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for darwin.pragmatika.net
Using the webroot path /var/www/heartbeat/_well-known for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/darwin.pragmatika.net/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/darwin.pragmatika.net/privkey.pem
Your cert will expire on 2020-02-02. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again. To non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
My web server is (include version): Nginx 1.17.4 from source.
The operating system my web server runs on is (include version): Ubuntu 18.04.3 LTS
My hosting provider, if applicable, is: DigitalOcean
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you’re using Certbot): certbot 0.39.0
Leaf cert: 2070969775
Pre cert: 2070970711
=====
Here’s the beef: I’m confused as to why the certificate is saved to /etc/letsencrypt/live/
when I used the --cert-path
, --chain-path
and --fullchain-path
is set to /etc/letsencrypt/live/
in both the dry run and the live run.
This has come about as I am overhauling my build guide, replacing references to letsencrypt
with certbot
, to avoid any legal wrangles.
Am I doing something wrong, or have I stumbled on a bug?
Thanks in advance for any pointers.