`--cert-path`, `--chain-path`, `--fullchain-path` seemingly not working

petecooper · November 4, 2019, 2:43pm

My domain is: darwin.pragmatika.net

I ran this command:

sudo apt update \
&& sudo rm -rf \
/opt/eff.org/certbot/venv/ \
/opt/certbot/ \
&& sudo git clone --depth 1 https://github.com/certbot/certbot /opt/certbot/ \
&& heartbeatfqdn=$(cat /etc/fqdn) \
&& read -p 'Email address for renewal alerts (e.g. www@example.com): ' certbotemail \
&& sudo /opt/certbot/certbot-auto \
certonly \
--agree-tos \
--cert-name $heartbeatfqdn \
--cert-path /etc/certbot/live/$heartbeatfqdn/ \
--chain-path /etc/certbot/live/$heartbeatfqdn/ \
--domains $heartbeatfqdn \
--dry-run \
--email $certbotemail \
--fullchain-path /etc/certbot/live/$heartbeatfqdn/ \
--key-path /etc/certbot/live/$heartbeatfqdn/ \
--must-staple \
--no-eff-email \
--rsa-key-size 4096 \
--server https://acme-staging-v02.api.letsencrypt.org/directory \
--staple-ocsp \
--webroot \
--webroot-path /var/www/heartbeat/_well-known \
&& sudo /opt/certbot/certbot-auto \
certonly \
--agree-tos \
--cert-name $heartbeatfqdn \
--cert-path /etc/certbot/live/$heartbeatfqdn/ \
--chain-path /etc/certbot/live/$heartbeatfqdn/ \
--domains $heartbeatfqdn \
--email $certbotemail \
--fullchain-path /etc/certbot/live/$heartbeatfqdn/ \
--key-path /etc/certbot/live/$heartbeatfqdn/ \
--must-staple \
--no-eff-email \
--rsa-key-size 4096 \
--server https://acme-v02.api.letsencrypt.org/directory \
--staple-ocsp \
--webroot \
--webroot-path /var/www/heartbeat/_well-known

It produced this output:

Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate

IMPORTANT NOTES:
 - The dry run was successful.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for darwin.pragmatika.net
Using the webroot path /var/www/heartbeat/_well-known for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/darwin.pragmatika.net/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/darwin.pragmatika.net/privkey.pem
   Your cert will expire on 2020-02-02. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

My web server is (include version): Nginx 1.17.4 from source.

The operating system my web server runs on is (include version): Ubuntu 18.04.3 LTS

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.39.0

Leaf cert: 2070969775
Pre cert: 2070970711

=====

Here’s the beef: I’m confused as to why the certificate is saved to /etc/letsencrypt/live/ when I used the --cert-path, --chain-path and --fullchain-path is set to /etc/letsencrypt/live/ in both the dry run and the live run.

This has come about as I am overhauling my build guide, replacing references to letsencrypt with certbot, to avoid any legal wrangles.

Am I doing something wrong, or have I stumbled on a bug?

Thanks in advance for any pointers.

Phil · November 4, 2019, 3:25pm

This has come about as I am overhauling my build guide, replacing references to letsencrypt with certbot , to avoid any legal wrangles.

You shouldn't have to worry about this. Stick with the default paths that certbot provides and you should be good to go.

petecooper · November 4, 2019, 3:28pm

Thank you, @Phil – I appreciate the reassurance on the legal tip.

Is there a limitation on the paths that can be used with the --*-path flags? Do they have to contain the string letsencrypt in some form?

mnordhoff · November 4, 2019, 3:29pm

You can use "--config-dir /etc/certbot/".

For what it's worth, you can download the certbot-auto file by itself from https://dl.eff.org/certbot-auto. You don't need to clone a bunch of extra files from GitHub.

And there are other packages available for many OSes. The Certbot developers don't really recommend certbot-auto as the primary way to install it.

See e.g. https://certbot.eff.org/lets-encrypt/ubuntuother-other.

petecooper · November 4, 2019, 3:35pm

Thank you, @mnordhoff - I will give --config-dir a spin now. Much appreciated! I’ll also check out more efficient alternatives, thanks for the pointer.

system · December 4, 2019, 3:35pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.