How to use existing private key with certbot?


#1

Hi everyone!

I’d like to use an existing private key with certbot for request and renewal of letsencrypt certificates. In the certbot documentation/FAQ I found that it was possible (yay! \o/) but not how to do that.

If possible, I’d like to use the key and not a csr because I want certbot to do as much work as possible :wink:

On my first try, I used certbot with --key-path pointing to the private key in question but that didn’t work.

Cheers
Steffen


#2

Unfortunately, providing Certbot with a pre-generated CSR (with the --csr option) is how you use an existing private key. There is no other way as far as I know.

On the other hand, generating the CSR is only one command, and you don’t even need to redo it for each renewal. As long as you always request the same domains, you can generate the CSR once and for all.


#3

[quote=“gouttegd, post:2, topic:17050, full:true”]
Unfortunately, providing Certbot with a pre-generated CSR (with the --csr option) is how you use an existing private key. There is no other way as far as I know.[/quote]

Well, I did try that. However, I ended up getting the cert chain as something like /etc/0000_cert.pem instead of the more tidy /etc/letsencrypt/live/deimos.bebef.de/fullchain.pem.

Is there a way to get this result when using Certbot with a CSR?


#4

I’m facing the same issue here. The csr methods works but is painful. It’s really unfortunate that the --key-path only works one way.


#5

Well, I don’t have a problem with creating a CSR. However, Certbot doesn’t seem to be what I am looking for to roll out LE on my servers, so I’m having a look at acme-tiny. See also https://scotthelme.co.uk/setting-up-le/


#6

Bugger! I totally forgot that I wanted to use a client with a builtin webserver because I don’t have a webserver on every server. Well…


#7

You can use the --cert-path, --chain-path, and --fullchain-path to explicitly specify where Certbot should write the certificate and the chain files.

Note however than even with these options, Certbot will always prepend a numeric prefix of the form xxxx_ at the beginning of the filename. This behavior is to prevent overwriting an existing file and cannot be modified. It it up to you to rename or copy the certificate and/or the chain file to a more suitable location (something which can easily be done with a bit of shell scripting).


#8

or use a client that supports the DNS challenge if that works for you


#9

[quote=“gouttegd, post:7, topic:17050, full:true”]
You can use the --cert-path, --chain-path, and --fullchain-path to explicitly specify where Certbot should write the certificate and the chain files.

Note however than even with these options, Certbot will always prepend a numeric prefix of the form xxxx_ at the beginning of the filename.[/quote]

Well, I was hoping for the same beaviour you get when you use the “full auto” variant, but sure, one can work around that…


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.