We are writing a script to automate our ‘manual’ certificate renewals, and are trying to decouple it from having to be run on a specific machine. The current procedure is:
- Download an encrypted archive of the Let’s Encrypt config directory to a tmp directory
- run
certbot certonly(work-dir, logs-dir, cert-path, key-path, chain-path, fullchain-path, etc are all set to point to the new config directory location). We also have a validation and deploy script. - encrypt and backup the new state of the config directory.
Most of this works fine, and the certificates are renewed, however, they saved to the wrong location. Instead of being saved to the temporary config directory, they are saved to the original location the initial cert was generated at, i.e. a specific user’s home directory on a specific machine.
As far as I can tell, the config/renewal/[site].conf file is the cause of this issue — there are several paths in there that still point to the original location. I believe we are setting all of the flags we possibly can, but the one that doesn’t appear to have a flag is archive_dir. I’d rather not go down the route of dynamically re-writing this config file (especially since archive_dir isn’t a documented config option, so it’s not guaranteed to work with future versions).
Is there another recommended way to essentially move the absolute path to the config directory?