Certs generated when using --csr option in certbot command

Hi team,

I was generating a cert from LE using csr option (generated by our enterprise) successfully.
But I had few observations from what had returned

Server issued certificate; certificate written to /0000_cert.pem
Cert chain written to 10
Cert chain written to 11

  • Congratulations! Your certificate and chain have been saved at:

I noticed there were 3 certs - 0000_cert.pem 0000_chain.pem 0001_chain.pem and understood what each are.

But at certain times I only had got 2 certs 0000_cert.pem 0000_chain.pem and 0000_chain.pem (had both leaf and intermediate ca in it).

Can you please help me in understanding when will there be 2 or 3 certs be generated or what is the right behavior expected? Thanks in advance.

1 Like

Hi @sdivyareddy216,

The difference should be whether any files with each name already exists. For example, if you have a file 0000_chain.pem already, then you will get 0001_chain.pem instead of 0000_chain.pem.

In every case, Certbot should try to save three new files.

1 Like

I didn’t have the file already exist. It’s created for the first time along with 0001_chain.pem.

1 Like

@bmw, can you think of why this would happen? I just looked at some of the associated code and it doesn’t make a lot of sense to me.

1 Like

For reference:

I’m currently using
certbot 0.34.2

ls -ltr chain
-rw-r–r-- 1 root root 1931 Nov 12 02:43 0000_cert.pem
-rw-r–r-- 1 root root 3472 Nov 12 02:43 0001_chain.pem
-rw-r–r-- 1 root root 1541 Nov 12 02:43 0000_chain.pem

Referenced from https://github.com/letsencrypt/boulder

1 Like

When running certbot certonly with --csr, three files should be created on every run. If you are able to reproduce the behavior where you said you only had two files, instructions on how to reproduce it or a full log from the run would be helpful.

If you set any of --cert-path, --chain-path, or --fullchain-path, they will override the default location of the file and a file already existing at that location is an error.

The default location for these flags is in your current working directory with the names 0000_cert.pem, 0000_chain.pem, and 0000_chain.pem respectively. Currently and since the early days of Certbot, --chain-path and --fullchain-path have the same default location. I created https://github.com/certbot/certbot/issues/7546 to track us changing this behavior.

When Certbot goes to write these files, if the file already exists it increments the number at the beginning of the filename until an unused filename is found. The file for --chain-path is written first so assuming no other conflicts if the chain is n_chain.pem then the fullchain containing both the intermediate and the leaf certificate should be n+1_chain.pem.


Hi @bmw, Thanks for the explanation.

Sorry, I’m not able to reproduce the 2 files behavior now.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.