Given that letsencrypt returns cert.pem, chain.pem, fullchain.pem, and privkey.pem I think that I am supposed to perform some actions on the returnedPEM-formatted certificate in order to get the expected values - expect privkey.pem which I think is the private_key used to sign the certificate request. Are my assumptions correct?
I ask because:
although acme-client has a very simple API, from my reading of the codebase, it appears that it does not make any assumptions about certificate/key storage
I am having a hard time finding a straightforward explanation of how cert.pem, chain.pem, fullchain.pem, and privkey.pem are generated.
I would appreciate any explanation on how PEM-formatted certificate that is returned is related/used to generate cert.pem, chain.pem, fullchain.pem, and privkey.pem
What is returned by the ACME protocol is basically the fullchain.pem file. It’s the signed certificate plus one or more certificates that make up the issuing CA chain. So you then just split that out into cert.pem (the first cert in the file) and chain.pem (the rest of the file). It’s a plain text file and you should be able to see the cert delineations fairly easily.
You’re correct that privkey.pem is the private key you already used to sign the cert request.
Section 7.4.2 of the current ACME draft-16 talks about the details surrounding the certificate download. But what a client decides to do with that file is ultimately a usability choice by the client author.
Even the names cert.pem, chain.pem, and fullchain.pem aren't any kind of industry standard, but just a choice of this kind that we made when we first wrote Certbot, because we hoped they would help explain to users what the content of the files was. (And we may have made a mistake there, because fullchain.pem is what almost all software should use, but many users instead pick cert.pem and end up serving an incomplete chain.)