Confused about backing up keys and account credentials


When I first generate the certificate it says:

  • Your account credentials have been saved in your Let’s Encrypt
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Let’s
    Encrypt so making regular backups of this folder is ideal.

I see that live/ contains 4 .pem files. I thought I would back this up locally but I can’t even copy it to my user account temporarily:
sudo cp live/*.pem ~myuser
cp: cannot stat ‘live/*.pem’: No such file or directory

How am I supposed to backup these files if I can’t even copy them?

Also, why do I need to backup the entire folder? Just as there is a key file, isn’t there an account credentials file that I can backup instead of having to backup the entire folder?


Hello @letsyoyo,

Keep in mind that those 4 pem files inside live/ dir are not regular files but symbolic links pointing to the real pem files located in archive/

Example listing live/ dir:

$ sudo ls -l /etc/letsencrypt/live/
total 0
lrwxrwxrwx 1 root root 35 Mar 14 01:47 cert.pem -> ../../archive/
lrwxrwxrwx 1 root root 36 Mar 14 01:47 chain.pem -> ../../archive/
lrwxrwxrwx 1 root root 40 Mar 14 01:47 fullchain.pem -> ../../archive/
lrwxrwxrwx 1 root root 38 Mar 14 01:47 privkey.pem -> ../../archive/

You user has no rights to access /etc/letsencrypt/live/ (that is the reason you are using sudo, right?)… well, keep in mind that shell is trying to expand *.pem before executing sudo, that means that the shell is trying to get the file names matching the pattern *.pem before it has the rights to read the contents of that dir so as the shell can’t expand the pattern *.pem it is passed literally to sudo and when cp is executed by sudo it cannot find a file named *.pem, that is the reason for the cannot stat error.

So, if you want to copy the contents of live/, copy the entire dir and use -L switch to copy the real files instead of the symbolic links

sudo cp -rL /etc/letsencrypt/live/ ~myuser

If you still want to use the *.pem pattern you should execute it inside a shell launched by sudo:

sudo sh -c 'cp -L /etc/letsencrypt/live/*.pem ~myuser'

Maybe a better approach is just copy the archive dir that is where your real pem files are located.

sudo cp -r /etc/letsencrypt/archive/ ~myuser

But the best approach is backup the entire /etc/letsencrypt dir. There you have not only the certs, the keys used for those certs, etc. but the renewal info, your account details used to revoke certs, etc. so yes, please, backup all.

sudo cp -r /etc/letsencrypt/ ~myuser

Edit: If you copy the files, the owner of that files will be root, if you want to view the contents using your user you should chown the copied dir.

sudo chown -R myuser:myuser ~myuser/letsencrypt/