Certbot upgrade is putting certificate files in the wrong folder and naming them with numbers

gkilwein · April 4, 2023, 11:05pm

Due to this change about the Common Names -- Domain ordering not respected, unexpected certificate subject - #6 by jsha -- I am now trying to run cert renewals with the --csr command, and I upgraded certbot from version 1.11 to 2.5.0.

However, now instead of putting the certificates in the appropriate folder as specified by --config-dir, it's putting them in the same folder as I'm running the command from and naming them with a number like 0004_cert.pem and 0008_chain.pem.

Is there a way to get the cert files to go into the same folder when as you don't specify the --csr flag? Or did something change between certbot 1.11 and 2.5.0? (I reverted to 1.11 and the behavior seemed to be the same, so I don't know that the version upgrade had anything to do with it.)

My domain is: walkinfreedom.net

I ran this command:
certbot certonly --manual --csr /home/automation/automation/csrs/walkinfreedom.net.pem --cert-name www.walkinfreedom.net --preferred-challenges http -d www.walkinfreedom.net -d walkinfreedom.net --config-dir /home/automation/automation/ssl-config-dir/ --work-dir /home/automation/automation/ssl-working-dir/ --logs-dir /home/automation/automation/ssl-logs-dir/ --non-interactive --manual-auth-hook "ssl-automation/authenticator.sh attractwell" --manual-cleanup-hook "ssl-automation/cleanup.sh attractwell" --agree-tos --email $sslemail --manual-public-ip-logging-ok

It produced this output:

Saving debug log to /home/automation/automation/ssl-logs-dir/letsencrypt.log
Requesting a certificate for www.walkinfreedom.net and walkinfreedom.net
Use of --manual-public-ip-logging-ok is deprecated.

Successfully received certificate.
Certificate is saved at: /home/automation/automation/0004_cert.pem
Intermediate CA chain is saved at: /home/automation/automation/0008_chain.pem
Full certificate chain is saved at: /home/automation/automation/0009_chain.pem
This certificate expires on 2023-07-03.

NEXT STEPS:

Certificates created using --csr will not be renewed automatically by Certbot. You will need to renew the certificate before it expires, by running the same Certbot command again.

My web server is (include version): Apache

The operating system my web server runs on is (include version): CentOS 7

My hosting provider, if applicable, is: Liquid Web

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.5.0 (and was previously on 1.11)

_az · April 4, 2023, 11:40pm

Certificates created with certbot certonly --csr don't go into /etc/letsencrypt because they are "one-shot" certificates. Certbot immediately forgets about them, won't renew them, and they won't show up in certbot certificates.

Creating a certificate with --csr is really only useful when you are driving it with automation that replaces Certbot's own logic.

You can control the paths of the output files with --cert-path, --chain-path and --fullchain-path, respectively.

--csr has always worked this way, there has not been any behavior change between versions.

rg305 · April 5, 2023, 12:11am

When was that a way to specify where the certificates should be placed?
OR
Are we missing some additional detail?

Osiris · April 5, 2023, 6:51am

Certs are usually placed in /etc/letsencrypt. --config-dir configures that directory. Makes sense, except for --csr being a weird option disrupting everything.

gkilwein · April 5, 2023, 2:25pm

Thank you, I'll give these parameters a try. Are you aware of any renewal limitations with these or can they be renewed within the window of 30 days before expiration like normal certificates?

gkilwein · April 5, 2023, 2:28pm

Thank you - I'm not sure why, but all my certificates are under the path specified by --config-dir. The latest cert is symlinked under a subfolder called "live", with all of the old certs in an "archive" subfolder under the path specified by --config-dir.

Unless I use --csr, but I'll use those other --cert-path, --chain-path, and --fullchain-path parameters if I need to use --csr.

jvanasco · April 5, 2023, 2:36pm

Clarifying: The three directory arguments control the toplevel/base directory that Certbot uses for those activities. The relevant subdirectories are still created under those directories. In my experience, this stuff is mostly used by test systems and for complex installs where you have multiple isolated "installations" sharing the same Certbot binary and installation. (For example, a managed hosting system with 10 clients might use a separate certbot directory local to each client - but a global Certbot program.)

Osiris · April 5, 2023, 4:15pm

Rate limits are an ACME server thing. The ACME server doesn't care how the ACME client requested the cert, so rate limits aren't handled differently when using --csr..

system · May 5, 2023, 4:16pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.