How to create a certificate in live/ without link to archive/

I have a certificate located in /etc/letsencrypt/live/nonprod.gitsis.eu, which is not a symbolic link. When it’s about to expire, I attempt to issue a new one, but it always creates a folder in live/nonprod.gitsis.eu containing symbolic links to the archive/ directory.

Is there a way to generate the certificate directly in the live directory without creating symbolic links to archive/?

I ran this command:
certbot certonly --noninteractive --authenticator dns-hetzner --dns-hetzner-credentials /tmp/dns_api_token.ini --agree-tos --domains *.nonprod.gitsis.eu --email algitsis@gmail.com

i run on debian-12
certbot 2.11.0

No, not directly, that's just how Certbot works.

What's wrong with symbolic links? Any software should be able to use that without an issue..

As some kind of workaround you could write your own script and use it in a --deploy-hook. Within that script you can do whatever you want, as long as you don't mess up the existing files generated by Certbot.

4 Likes

Why does Certbot sometimes create certificates directly in the live/ directory instead of using symbolic links?

I’ve noticed inconsistent behavior when generating certificates using Certbot. In some cases, the certificates are created in the live/ directory as symbolic links pointing to files in the archive/ directory (as expected). However, other times, the certificate files are created directly in the live/ directory without using symbolic links.

I’m trying to understand what might cause this difference. Could it be related to:

  • The existence of a previous certificate for the same domain?
  • A configuration or conflict in the renewal/ directory?
  • Specific Certbot parameters or flags I might be using?

If anyone has encountered this issue or knows what might lead to these outcomes, I’d appreciate your insights.

Certbot does not do that. But, if you have a --deploy-hook or a hook script in a Certbot hook folder your script could be overwriting what Certbot does.

We will need more info about how you reproduce that. For example, show us output of this

sudo ls -l /etc/letsencrypt/live/(domain)

before and after running Certbot.

And, upload the /etc/letsencrypt/letsencrypt.log file. You will need to copy it to a .txt file to upload to this forum.

2 Likes