Certbot creates certificate in wrong path

alterEgo123 · December 1, 2020, 3:32pm

I'm using certbot to generate my SSL certificate using this command:

certbot certonly --nginx -d xxxxx.com -n --test-cert --agree-tos -m xxxxx@yyyyy.com --cert-path /etc/letsencrypt/live/xxxxx.com/fullchain.pem --key-path /etc/letsencrypt/live/xxxxx.com/privkey.pem

It works fine but it isn't saving the files in the right directory. Instead of creating them under /etc/letsencrypt/live/xxxxx.com , it's creating them under /etc/letsencrypt/live/xxxxx-0001.com . Why is this happening?

Osiris · December 1, 2020, 8:16pm

I don't know the answer to your actual question, but why would you want to use --cert-path like this in the first place? I can't think of any good reason..

The files in /live/ are actually symbolic links and certbot will error out if it doesn't find symlinks there. Also, you're overwriting the fullchain with a single cert, which is probably not what you want.

So I'd like to suggest we move this discussion a bit away from what you're actually asking and move to what the end result is you're trying to achieve.

_az · December 1, 2020, 10:56pm

Certbot will create the -nnnn suffix if you already have an existing certificate which contains xxxxx.com and:

The existing certificate is not a duplicate of the new certificate you're requesting (so it's not a renewal), and
The new certificate is not a strict superset of the existing certificate (so Certbot can't simply expand the existing certificate),

That's a bit of a mouthful, but it basically means that Certbot has to create a separate certificate in order not to reduce the existing certificate's coverage. To avoid overwriting up your existing certificate, it needs a different certificate name (hence the -0001).

If it is your intention to replace the existing certificate, then you may use --cert-name to achieve that:

certbot --cert-name xxxxx.com --nginx -d xxxxx.com -d xxxxx.com

and it will overwrite the existing certificate in-place.

Edit: ah, I think I badly misread the OP's question. Either way, I believe you will want to use --cert-name rather than specifying --cert-path and --key-path within /etc/letsencrypt/live.

alterEgo123 · December 2, 2020, 11:19am

I'm automating certain processes using Python/Ansible and given the fact that the command is adding an incremented suffix, I need to make sure that the certificate is always created in a known path, instead of searching for the latest directory under /etc/letsencrypt/live.

I.e I need the command to be idempotent no matter what changes happen under /etc/letsencrypt directories.

@_az --cert-name suggestion solved it for me !

system · January 1, 2021, 11:19am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Force certbot-auto to generate certificate at a custom path instead of /etc/letsencrypt/live Help	4	6080	April 22, 2017
Unpredictable paths make Certbot completely unusable Client dev	7	976	October 15, 2019
Why does Certbot Use Symbolic Links - Do Certain Paramaters Overide this Behaviour? Client dev	14	16676	March 27, 2017
Certbot with csr doesn't put cert in live path Help	5	10718	July 12, 2016
Certbot-auto why generate multiple certificate server key folder Server	20	5177	February 20, 2019

Certbot creates certificate in wrong path

Related topics