Certbot file structure: need detailed demo

When trying to move existing cert files from another client to certbot, one needs enough details to map the one to the other. I have yet to see a real example of a certbot file structure in enough detail to make a working copy script.

There are several descriptions of linking but the descriptions are a little vague. There are also mentions of different subdirectories in help topics that are not found in the official docs.

Links or pointers to a working structure on *nix would be very welcome.

I will be happy to create a PR for the docs if I can see a good example for, say, example.com and foo.com as two separate domains with their own certs.


read the python code on github

There should be a file


It should contain at least

version = somecertbotversion
archive_dir = /etc/letsencrypt/archive/certname
cert = /etc/letsencrypt/live/certname/cert.pem
privkey = /etc/letsencrypt/live/certname/privkey.pem
chain = /etc/letsencrypt/live/certname/chain.pem
fullchain = /etc/letsencrypt/live/certname/fullchain.pem

It should also contain a [renewalparams] section to give Certbot enough information to renew the certificate, but this is quite tricky to create from outside of Certbot because it includes references to what Certbot parameters were used to obtain the certificate, which might not be possible or meaningful when no such parameters were used. The most challenging part is that it includes account = someaccountnumber, which is a reference to /etc/letsencrypt/accounts/apihost/directorypath/someaccountnumber, which in turn is a directory containing meta.json, private_key.json, and regr.json. I don’t have enough familiarity with those files to describe them; they represent an account on an ACME server.

To continue, you would then have at least


which are PEM files with appropriate contents, and symbolic links

/etc/letsencrypt/live/certname/cert.pem -> ../../archive/certname/cert1.pem
/etc/letsencrypt/live/certname/fullchain.pem -> ../../archive/certname/fullchain1.pem
/etc/letsencrypt/live/certname/privkey.pem -> ../../archive/certname/privkey1.pem
/etc/letsencrypt/live/certname/chain.pem -> ../../archive/certname/chain1.pem

So I guess the next step would be to document Certbot’s representation of an account. However, you could also create one directly with certbot register, and then get the hexadecimal value of that account identifier from your /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory directory.

To allow automated renewals, you must also set account = thataccountidentifier inside the [renewalparams] section. You still need at the very least an authenticator = line referring to a Certbot plugin that can act as an authenticator (e.g. nginx, apache, webroot, standalone), and should have either installer = some installer plugin (currently most likely nginx or apache) or else installer = None to mimic the effects of having obtained the certificate with certonly.

Some plugins also require additional parameters. For example, webroot would want a webroot_path, which can be declared in the same [renewalparams] section.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.