Currently, when certbot is run to create a new certificate, it uses the specified webroot and creates a folder under [webroot] called “/live/[domainforcert]” (where [domainforcert] is the domain specified for this certificate) and stores symlinks for cert.pem, privkey.pem, chain.pem and fullchain.pem. This works fine in my tests.
My question is: When running certbot 80 days later (for example) in an attempt to renew an existing certificate that is about to expire, will certbot use this same directory or does it create a new directory under [webroot]/live/ for the renewed copy of the certificate? Does it simply over write the files that the symlinks point to with new cert, privkey, etc. files?
Because I’m handling installation and renewal somewhat manually for my situation, I’m trying to determine if I can always access the current cert, privkey, etc. files in the same location on the server, even after renewal; for example: [webroot]/live/[certfordomain]/*.pem
The --webroot flag is what specifies where certbot should write the challenge verification files to (in a subdirectory called /.well-known/acme-challenge), which allows you to demonstrate domain ownership. This is typically what the DocumentRoot directive of apache points to.
That’s not where the certificates and keys are stored - in fact, that would be terrible, as it might allow anyone who could browse your site to guess the path to your private key and download it.
Certificates and keys are stored in a subdirectory of /etc/letsencrypt/live by default (the name of that subdirectory being the first domain on your certificate). There are ways to change that path, like the --cert-path and other related flags, but it’s generally best to stick to the defaults and work off of that.
During renewal (at least if you don’t use --cert-path or anything like that), certbot will update the files to point to the most recently issued certificate and key. Behind the scenes, certbot maintains a copy of all keys and certificates that were issued on that particular installation in another subdirectory in /etc/letsencrypt/archive, and the files in /live are just symlinks to the latest certificate/key in there. /live is where your web server should point to.
When renewing, certbot places all the new files (certificate, private key et cetera) as totally new files in /archive/[domainforcert]. Then it updates the symlinks in /live/ to those new files in /archive/.