Change certificate directory


#1

Hello,

Is there any way of changing the directory where Lets Encrypt stores its certificates on the server?

We have two servers sharing a storage pool and want to store certificates in the storage pool so that each server can access them.

Thanks,
Ashley.


#2

If the official client doesn’t, you should look at NeilPang’s acme.sh client. It’s a bash client, and allows you to determine the install directory, as well as the cert install directory.

Are you using linux or something else? (I’m on FreeBSD, and so I use the ports version of the official client.) Depending on your situation, you should choose an appropriate client from this list.


#3

I wrote my own client for situations like this – it stores the certs in SQL and a different tool provisions onto the right servers.

The official client’s datastorage model is pretty simple. You can use something like NFS to mount the ‘live’ directory of Server1 onto Server2 as readonly (You could also mount is as read/write and auth from either; or mount in a random location and symlink)

The issue you’ll run into is with renewal; you’ll need to use a single well-known directory on NFS too (this way either server can respond to the authentication challenge)

  • If the two servers host the same domains (loadbalanced) you’d probably want to only run the renewal/issuance off one server
  • If the two servers don’t host the same domains, they will both try to renew the others’ domains