File overwrite and skip for --fullchain-path --chain-path and --cert-path

I'm trying to replace a different client with certbot and run certbot in certonly mode as an unprivileged user and as part of another script. Unfortunately I've got a range of issues with the --fullchain-path --chain-path and --cert-path flags.
The help-page says the default is "None" which I'd interpret as "if not specified no file is generated"

  --cert-path CERT_PATH
                        Path to where certificate is saved (with auth --csr),
                        installed from, or revoked. (default: None)
  --fullchain-path FULLCHAIN_PATH
                        Accompanying path to a full certificate chain
                        (certificate plus chain). (default: None)
  --chain-path CHAIN_PATH
                        Accompanying path to a certificate chain. (default:
                        None)

However, I get 3 files when not specifying any or only a subset of the options:
0000_cert.pem 0000_chain.pem 0001_chain.pem

If I specify any of them I run into another potential issue: Certbot will never overwrite the file if they exist and exit with an error.
Am I missing a certbot flag here? It seems odd that this isn't working at all, in most cases I only need either the cert-path and maybe the chain oder the fullchain file, but hardly ever I need all three of them.

The full command I'm currently testing with:
certbot certonly --register-unsafely-without-email --agree-tos --cert-path /opt/letsencrypt/certificate.pem --csr /opt/letsencrypt/certs/test.csr --key-path /opt/letsencrypt/account_key.pem --preferred-challenges http --webroot --webroot-path /var/wwwACME/ --work-dir /opt/letsencrypt/workdir --config-dir /opt/letsencrypt/config --logs-dir /opt/letsencrypt/logs --staging

Thank you very much

1 Like

--csr is not very good. I've been looking at it recently and fixing it up is on the radar.

If you don't provide explicit values for each of --{cert,chain,fullchain}-path, --csr tries to brute force a unique name that does not exist, and uses that.

if you do provide those paths explicitly, then Certbot will use those. However, as you point out, Certbot will fail if those files already exist.

What I can suggest is that if you're going to use --csr today, then it probably should be done as part of a shell script which:

  • specifies some temporary locations for all 3 files
  • makes sure they don't exist beforehand, and
  • makes sure they're moved/deleted afterwards

I've added your points to https://github.com/certbot/certbot/issues/4182 and feel free to include your own views.

3 Likes