Certificate location


#1

When I created my certificate, it was put in /etc/letsencrypt/live/example.com. When I renewed it, the new one was put in /etc/letsencrypt/live/example.com-0001. Is that supposed to happen? What’s a good workflow to automate this process?

I use the standalone method and just create the cert without configuring the server, because Nginx, Postfix, and Dovecot already point to /etc/letsencrypt/live/example.com/cert.pem etc, so changing the directory name messes that up a bit.

I can script around it, but need to know how that’s intended to work first.

Thanks!


#3

Hm, not here. They are symlinked to /etc/letsencrypt/archive/example.com and /etc/letsencrypt/archive/example.com-0001 respectively. Am I missing something?

Edit: Could it be because the second run I added some more domains to the cert?


#4

I got the same result and I also had just changed some of the subdomains so I think that your guess is correct. I wonder if this means that I can have different certs for different subdomains?


#5

Yes, you can. Configure your web server with SNI and you can use any number of certificates on the same web server.


#6

Did the client prompt you to treat the new issuance with more domains as a renewal? If so, it’s not the intended behavior that you would get a new example.com-0001 directory. That’s considered a separate “certificate lineage” and is only intended for when you want a separate, unrelated certificate (which could still have some of the same domains mentioned in it).