Certbot file structure: need detailed demo

There should be a file


It should contain at least

version = somecertbotversion
archive_dir = /etc/letsencrypt/archive/certname
cert = /etc/letsencrypt/live/certname/cert.pem
privkey = /etc/letsencrypt/live/certname/privkey.pem
chain = /etc/letsencrypt/live/certname/chain.pem
fullchain = /etc/letsencrypt/live/certname/fullchain.pem

It should also contain a [renewalparams] section to give Certbot enough information to renew the certificate, but this is quite tricky to create from outside of Certbot because it includes references to what Certbot parameters were used to obtain the certificate, which might not be possible or meaningful when no such parameters were used. The most challenging part is that it includes account = someaccountnumber, which is a reference to /etc/letsencrypt/accounts/apihost/directorypath/someaccountnumber, which in turn is a directory containing meta.json, private_key.json, and regr.json. I don’t have enough familiarity with those files to describe them; they represent an account on an ACME server.

To continue, you would then have at least


which are PEM files with appropriate contents, and symbolic links

/etc/letsencrypt/live/certname/cert.pem -> ../../archive/certname/cert1.pem
/etc/letsencrypt/live/certname/fullchain.pem -> ../../archive/certname/fullchain1.pem
/etc/letsencrypt/live/certname/privkey.pem -> ../../archive/certname/privkey1.pem
/etc/letsencrypt/live/certname/chain.pem -> ../../archive/certname/chain1.pem

So I guess the next step would be to document Certbot’s representation of an account. However, you could also create one directly with certbot register, and then get the hexadecimal value of that account identifier from your /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory directory.

To allow automated renewals, you must also set account = thataccountidentifier inside the [renewalparams] section. You still need at the very least an authenticator = line referring to a Certbot plugin that can act as an authenticator (e.g. nginx, apache, webroot, standalone), and should have either installer = some installer plugin (currently most likely nginx or apache) or else installer = None to mimic the effects of having obtained the certificate with certonly.

Some plugins also require additional parameters. For example, webroot would want a webroot_path, which can be declared in the same [renewalparams] section.

1 Like