Config File Help with File Paths

ZetaRevan · October 2, 2021, 11:51pm

Hello Friends,
I'm migrating to a new server & having to redo some things that I haven't touched in a couple of years. The new server is running RockyLinux (yes I know it's still new & not fully supported), but I"m trying to build a config file for certbot to use when I issue new Certs so I don't have to use the same flags every time. I'm on Certbot 1.19.0 & I've built a config file on /etc/letscrypt/cli.ini:

# This is an example of the kind of things you can do in a configuration file.
# All flags used by the client can be configured here. Run Certbot with
# "--help" to learn more about the available options.
#
# Note that these options apply automatically to all use of Certbot for
# obtaining or renewing certificates, so options specific to a single
# certificate on a system with several certificates should not be placed
# here.

# Use ECC for the private key
key-type = ecdsa

# Cloudflare Authentication
dns-cloudflare = True
dns-cloudflare-credentials = /root/.certbot/cloudflare.ini

#File Paths
cert-path = /etc/ssl/certs
key-path = /etc/ssl/certs
chain-path = /etc/ssl/certs
fullchain-path = /etc/ssl/certs

I had to specify the config file for some reason, but it still didn't take my file paths. The PK is ECDSA & it did validation via cloudflare, but the filepaths didn't take:

[root@newserver ~]# certbot certonly --config /etc/letsencrypt/cli.ini -d *.mccrocklin.space -d mccrocklin.space
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for *.mccrocklin.space and mccrocklin.space
Waiting 10 seconds for DNS changes to propagate

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/mccrocklin.space/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/mccrocklin.space/privkey.pem

_az · October 3, 2021, 12:26am

What you're looking to do is only really possible with certbot certonly --csr. This is a command to create a standalone certificate (by default, saved to the current working directory) and it won't get automatically renewed.

Otherwise, Certbot will save its certificate data in a directory and symlink structure under /etc/letsencrypt/ (or whatever you pass for --config-dir). The flags you're trying to use won't have any effect.

If you'd like to copy your certificates to /etc/ssl/certs, I can suggest these two approaches:

Create symlinks in /etc/ssl/certs/ which point to the symlinks in /etc/letsencrypt/live/example.com/, or
Use a --deploy-hook which copies the relevant files to /etc/ssl/certs. Something like:

#!/usr/bin/env bash

CERT_NAME=$(basename "$RENEWED_LINEAGE")

cp "$RENEWED_LINEAGE/fullchain.pem" "/etc/ssl/certs/$CERT_NAME.crt"
cp "$RENEWED_LINEAGE/privkey.pem" "/etc/ssl/certs/$CERT_NAME.key"

ZetaRevan · October 3, 2021, 12:40am

Gotcha. I guess I'll push for the config-dir line then. I added this to the config file:

config-dir = /etc/ssl/certs

It still creates live & archive subdirectories, but I like the structure better. Thanks for the info!

system · November 2, 2021, 12:41am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.