Certbot creates certificate in wrong path

I'm using certbot to generate my SSL certificate using this command:

certbot certonly --nginx -d xxxxx.com -n --test-cert --agree-tos -m xxxxx@yyyyy.com --cert-path /etc/letsencrypt/live/xxxxx.com/fullchain.pem --key-path /etc/letsencrypt/live/xxxxx.com/privkey.pem 

It works fine but it isn't saving the files in the right directory. Instead of creating them under /etc/letsencrypt/live/xxxxx.com , it's creating them under /etc/letsencrypt/live/xxxxx-0001.com . Why is this happening?


I don't know the answer to your actual question, but why would you want to use --cert-path like this in the first place? I can't think of any good reason..

The files in /live/ are actually symbolic links and certbot will error out if it doesn't find symlinks there. Also, you're overwriting the fullchain with a single cert, which is probably not what you want.

So I'd like to suggest we move this discussion a bit away from what you're actually asking and move to what the end result is you're trying to achieve.


Certbot will create the -nnnn suffix if you already have an existing certificate which contains xxxxx.com and:

  • The existing certificate is not a duplicate of the new certificate you're requesting (so it's not a renewal), and
  • The new certificate is not a strict superset of the existing certificate (so Certbot can't simply expand the existing certificate),

That's a bit of a mouthful, but it basically means that Certbot has to create a separate certificate in order not to reduce the existing certificate's coverage. To avoid overwriting up your existing certificate, it needs a different certificate name (hence the -0001).

If it is your intention to replace the existing certificate, then you may use --cert-name to achieve that:

certbot --cert-name xxxxx.com --nginx -d xxxxx.com -d xxxxx.com

and it will overwrite the existing certificate in-place.

Edit: ah, I think I badly misread the OP's question. Either way, I believe you will want to use --cert-name rather than specifying --cert-path and --key-path within /etc/letsencrypt/live.


I'm automating certain processes using Python/Ansible and given the fact that the command is adding an incremented suffix, I need to make sure that the certificate is always created in a known path, instead of searching for the latest directory under /etc/letsencrypt/live.

I.e I need the command to be idempotent no matter what changes happen under /etc/letsencrypt directories.

@_az --cert-name suggestion solved it for me !


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.