If I use certonly does certbot ignore custom path commands?

Help
1

sudo certbot certonly --webroot -w /data/nginx/html/stim/dist -d r.amperetech.co --cert-path /data/nginx/cert/cert.pem --key-path /data/nginx/cert/privkey.pem --fullchain-path /data/nginx/cert/fullchain.pem --deploy-hook "docker exec nginx-master nginx -s reload"

If I use the certonly argument, will certbot still honor custom paths for --key-path, --fullchain-path, and --cert-path and install it in the custom path instead of the default location?

The reason I ask is because I used a similar command before, and it ended up installing the certificate in the default location and I had to manually copy it over to my custom paths. I am trying to understand if I failed to set permissions or if certonly prevents it from honoring custom paths.

1 Like
2

Welcome back @jeffbrowninNH

I think those only work with certonly --csr. I say this not from personal experience but just scanning the docs just now. That --csr option is rarely used and not worth the trouble.

You could look at the --config-dir option. That might do what you want. Just know for any Certbot command you need to provide that too. Even any renew command.

Personally, I'd let Certbot do its normal thing and copy them after. Possibly in a script named by --deploy-hook

4 Likes
3

Thanks for the hints. I'm worried about any sort of auto renewal command will fail as a result too. I'm running on very little sleep right now, so perhaps i will go take a nap and then take another look at this again when I am refreshed.

1 Like
4

The --deploy-hook setting is saved in the cert profile for each cert. So, gets run for each renew too

It gets passed env vars to see what you were invoked with (see the docs). Or, create a custom script for each cert and use that script in the deploy-hook

3 Likes
5

Well turns out it can't be a permissions problem because certbot has root access. So certonly really does ignore --cert-path, --key-path, -fullchain-path??? I just don't get it. Yeah the deploy-hook workaround should fix the issue but I wish it were more clear to not use these parameters.

6

Yes, the docs could be clearer. Can't they all :slight_smile:

--cert-path CERT_PATH
Path to where certificate is saved (with certonly --csr), installed from, or revoked (default: None)

2 Likes
7

I see. And certonly --csr wouldn't work with certbot renew anyway right?

8

Not that I know of. I wouldn't recommend it as a way to change paths anyway.

--csr CSR
Path to a Certificate Signing Request (CSR) in DER or PEM format. Currently --csr only works with the 'certonly' subcommand. (default: None)

https://eff-certbot.readthedocs.io/en/latest/using.html#certbot-command-line-options

1 Like
9

It would not. The --csr option is not really an option, but more of a subcommand: it does not "store" the information entered on the command line, like webroots et c. It only uses it once, puts the certs in the current directory or the specified paths and then just quits without saving anything else.

It would have been more helpful probably if --csr was a subcommand next to run, certonly et c. I also don't think the installer plugins work with --csr.

1 Like
10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.