Config File Help with File Paths

Hello Friends,
I'm migrating to a new server & having to redo some things that I haven't touched in a couple of years. The new server is running RockyLinux (yes I know it's still new & not fully supported), but I"m trying to build a config file for certbot to use when I issue new Certs so I don't have to use the same flags every time. I'm on Certbot 1.19.0 & I've built a config file on /etc/letscrypt/cli.ini:

# This is an example of the kind of things you can do in a configuration file.
# All flags used by the client can be configured here. Run Certbot with
# "--help" to learn more about the available options.
# Note that these options apply automatically to all use of Certbot for
# obtaining or renewing certificates, so options specific to a single
# certificate on a system with several certificates should not be placed
# here.

# Use ECC for the private key
key-type = ecdsa

# Cloudflare Authentication
dns-cloudflare = True
dns-cloudflare-credentials = /root/.certbot/cloudflare.ini

#File Paths
cert-path = /etc/ssl/certs
key-path = /etc/ssl/certs
chain-path = /etc/ssl/certs
fullchain-path = /etc/ssl/certs

I had to specify the config file for some reason, but it still didn't take my file paths. The PK is ECDSA & it did validation via cloudflare, but the filepaths didn't take:

[root@newserver ~]# certbot certonly --config /etc/letsencrypt/cli.ini -d * -d
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for * and
Waiting 10 seconds for DNS changes to propagate

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/
Key is saved at:         /etc/letsencrypt/live/

What you're looking to do is only really possible with certbot certonly --csr. This is a command to create a standalone certificate (by default, saved to the current working directory) and it won't get automatically renewed.

Otherwise, Certbot will save its certificate data in a directory and symlink structure under /etc/letsencrypt/ (or whatever you pass for --config-dir). The flags you're trying to use won't have any effect.

If you'd like to copy your certificates to /etc/ssl/certs, I can suggest these two approaches:

  1. Create symlinks in /etc/ssl/certs/ which point to the symlinks in /etc/letsencrypt/live/, or
  2. Use a --deploy-hook which copies the relevant files to /etc/ssl/certs. Something like:
#!/usr/bin/env bash


cp "$RENEWED_LINEAGE/fullchain.pem" "/etc/ssl/certs/$CERT_NAME.crt"
cp "$RENEWED_LINEAGE/privkey.pem" "/etc/ssl/certs/$CERT_NAME.key"

Gotcha. I guess I'll push for the config-dir line then. I added this to the config file:

config-dir = /etc/ssl/certs

It still creates live & archive subdirectories, but I like the structure better. Thanks for the info!


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.