CLI to get the installed wildcard Let’s Encrypt crt and key (repost with backgroud process story)

Problem Description

I have my hosting (Buyshared) and website all setup for SSL using the official Let’s Encrypt app. The SSL issued and installed for my domain ( as a wildcard certificate using dns verification.

Now I use my website to connect to my application server which needs the crt and key files to work. The server is set to retrieve those files from a certain folder located in the hosting public_html folder.

The problem is how can I find the currently installed certificate (crt and key) data (- - - BEGIN …) using cli commands so that I can make a script to copy the data and update the designated file which my external reads every week and updates it installed certificates. This script will be running as a crib job so that every time let’s Encrypt app reissues my website certificates, the new crt and key file data is automatically copied and pasted in the secured folder where only my external server can access and retrieve it.

My domain name is:

I don’t have root access

I am using thr Let’s Encrypt cPanel Plugin to issue and renew the wildcard SSL

Background Working Principle

The external server is a mikrotik cloud host router. so what I do is that i have DNS entries to my hosting pointing to this Mikrotik Server. example cloud, and this mikrotik must use the ssl for the domain (which in my case is * so since lets encrypt app issues this ssl, i need to extract the crt and key file (the latest one) and put it in a secure folder may b “~/chr/lets_encrypt” with a constant name like “skynode.crt and skynode.key” and then Mikrotik server can connect to that folder using FTP and retrieve those files to install in iteself.


I’m the author of the plugin.

You can find the certificate and private key file in the cPanel TLS/SSL Manager, as with any SSL certificate that is installed to your cPanel account. You can use the standard cPanel UAPI CLI tool to dump the installed certificates, check the cPanel docs for that.

You can also find a copy of the current Let’s Encrypt certificates in use by your account in a JSON file located at $HOME/.cpanel/nvdata/letsencrypt-cpanel.

Hi _az

Thanks for the information. I am kind of a noob here in web hosting elements. Currently i use this script to retrieve the files and upload it to the other server. but this only gets the latest modified files from the SSL/certs or SSL/keys file which leaves the possibility to get mismatched files


FILE_crt=$(find ~/ssl/certs -name *.crt | sort -n | tail -1)
FILE_key=$(find ~/ssl/keys -name *.key | sort -n | tail -1)

if [ -d "$DIR" ]; then
echo "Directory EXISTS"
if [ "$(ls -A $DIR)" ]
echo "Directory is NOT EMPTY. Cleaning Directory"
rm -r $DIR/*
echo "Directory is NOW EMPTY"
echo "Directory is EMPTY"
echo "Directory does NOT EXIST"
mkdir -p $DIR
echo "Directory has been CREATED"
if [ "$(ls -A $DIR)" ]
echo "Directory is NOT EMPTY. Cleaning Directory"
rm -r $DIR/*
echo "Directory is NOW EMPTY"
echo "Directory is EMPTY"

if [ -z "$FILE_crt" ]
echo "Latest CRT File Variable is EMPTY"
echo "Latest CRT File: "$FILE_crt
cp $FILE_crt $DIR/skynode_link.crt
chmod 644 $DIR/skynode_link.crt

if [ -z "$FILE_key" ]
echo "Latest KEY File Variable is EMPTY"
echo "Latest KEY File: "$FILE_key
cp $FILE_key $DIR/skynode_link.key
chmod 644 $DIR/skynode_link.key

Is there anyway to get the exact crt and key file dir in the variable FILE_crt and FILE_key (variables in the above custom script) of the SSL which is currently installed or renewed?

Once again sorry for being a noob

Mebbe try this instead of your shell script (configure the two variables at the top).

#!/usr/bin/env python

# Configure here
VHOST = ''
DESTINATION = '/home/user/mikrotik_upload'


from os.path import expanduser, join
import json
import sys

nvdata = None
with open('{}/.cpanel/nvdata/letsencrypt-cpanel'.format(expanduser('~'))) as file:
  nvdata = json.loads(
if not VHOST in nvdata['certs']:
  print 'No certificate data present for {}'.format(VHOST)

vhost_data = nvdata['certs'][VHOST]

# Write the private key to destination
with open(join(DESTINATION, 'privkey.pem'), 'w') as f:
  print 'Saved private key to {}'.format(DESTINATION)

# Write the certificate + cabundle to destination
with open(join(DESTINATION, 'fullchain.pem'), 'w') as f:
  f.write(vhost_data['cert'] +  vhost_data['issuer'])
  print 'Saved certificate to {}'.format(DESTINATION)

$ chmod +x
$ ./
Saved private key to /home/user/mikrotik_upload
Saved certificate to /home/user/mikrotik_upload
$ ls /home/user/mikrotik_upload
fullchain.pem  privkey.pem

BTW, I highly recommend not copying your private key into your web root. Quick road to compromise.

Thank you very much. I will change the store path to a root DIR instead of a public path. One more thing the saved chain and key are in pem format. My external server can only read .crt file (the certificate) and .key file (the key for the certificate). it cannot decipher the pem files.

in that case what should be the changes?

once again thank you very much for your time

CRT files usually are PEM-encoded. You can just rename it if your server throws a fit.

The only other formats for storing certificates and private keys are PFX and DER, which have their own unambiguous file extensions.

so if my server cannot read the .pem then i can just rename the extension for certificate to .crt and private key to .key?

I think that your server can read .pem files just fine, but sure, you can rename it if it helps.

Thank you very much… I will try out the script on monday as i reached the rate-limit for wildcard while doing trial and error tests for my domain

Note that the rate limit is a 7-day rolling window; it doesn’t reset suddenly over the weekend.

Thank you very much for the information. My oldest i,e 1st out of all 5 certs was issued on Monday… Also is the 7-day rolling rate limit time sensitive?

Maybe give Let's Debug Toolkit a go, search for your domain and it should report on your rate limit status within reasonably accurately.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.