Change file name on creation

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: pbx.northmids.uk

I ran this command: sudo certbot certonly
2: Spin up a temporary webserver (standalone)

It produced this output:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/pbx.northmids.uk/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/pbx.northmids.uk/privkey.pem
    Your cert will expire on 2021-02-05. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    "certbot renew"

My web server is (include version):
Debian 9

The operating system my web server runs on is (include version): 9

My hosting provider, if applicable, is: 3CX

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no, SSH
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Hi, I am a telecoms engineer and would like to use LetsEncypt for 3CX (Custom FQDN). I have managed to get an SSL, however I want it to automatically rename to:pbx.northmids.uk-crt.pem and pbx.northmids.uk-key.pem - is this possible?

Thanks!

1 Like

Renaming the files isn't advisable, because certbot expects the files to be as the current filenames. However, you can symbolically link to those files (which are symbolic links themselves actually).

If you symbolically link to the files in the /live/ directory, your filenames (which would be the symbolic links) will always point to the current files.

If you don't want to use symbolic links but want to copy the files, you can do so by writing a custom script to do the copying and use that script as the value for the --deploy-hook option. You can use the $RENEWED_LINEAGE variable inside your script, which will point to the actual directory of your certificate inside the /live/ directory. For example, you could do:

cp "$RENEWED_LINEAGE/fullchain.pem" /path/to/copy/the/cert/to
cp "$RENEWED_LINEAGE/privkey.pem" /path/to/copy/the/private_key/to

Read more about this --deploy-hook in the "Renewing certificates" in the certbot documentation:

(More info about the variables for --deploy-hook at the bottom under "Certbot command-line options")

3 Likes

Many thanks for that! I will do some research into it.

Also I have just noticed that the directory where the SSL’s were stored doesn’t exist? I go into the location where the cert bot created them and there is no live folder? Confused....

1 Like

That shouldn't be possible. If certbot reported the files are available in /etc/letsencrypt/live/pbx.northmids.uk/, there should be such a directory.

3 Likes

In total agreement.
Symbolic links will save your day here.

2 Likes

Hi - I had to change permissions to ec2-user:ec2-user to access the folder, but also need to change the user again to access the files. Once the certificate is renewed it needs to be linked/placed into /var/lib/3cxpbx/Bin/nginx/conf/Instance1 with file permissions as phonesystem:phonesystem.

Would this be be too complex to acheive? Thanks :slight_smile:

1 Like

No, it wouldn't. Just add the required commands to the script you'll call through the --deploy-hook option.

Also, certbot usually runs as root, but perhaps EC2 behaves differently? Using root everything usually just has the root user as owner.

1 Like

How do I symbolic link those files please? Not sure it will work cause I keep need to change the file permissions to ec2-user to access the folders/files etc :frowning:

1 Like

Thanks for your quick reply. I am accessing the system via SSH on ec2-user but SU mode. It uses an SSH key to connect and cannot change username before I connect to the system :confused: same goes for FileZilla

1 Like

I have no idea what "SU mode" means, but usually certbot is called through sudo (i.e., sudo certbot) so it will run as root.

It might not be actually necessary though, as it seems you already managed to get certificates issued. And if you can change permissions with your current user also, it looks like you've got all the rights you need.

1 Like

Thanks. What kind of script do I need to google/reseach to do the following?

  1. renew certificate as root
  2. change file names/link files to /var/lib/3cxpbx/Bin/nginx/conf/Instance1
  3. renew every two/three months

Also does certbot take up a lot of resources? gathering that it is running on a 3CX phone system.

1 Like

1 might not be necessary depending on how user/owner management works on your EC2 system (I have no idea)
2 is an item you can easily script. See my previous post about --deploy-hook. Just use cp or ln -s, whatever floats your boat. This script can also include chown commands.
How 3 is implemented depends on the system used. Linux distributions using systemd usually have a systemd timer. Non-systemd distro's usually use cron and have a cronjob running certbot renew.

Further more, certbot uses Python. I have no idea how much resources it uses, but if you compair it to other clients which are only depending on Bash (such as acme.sh), it uses more resources indeed. If it uses too much, I cannot tell.

2 Likes