Is moving/copying downloaded certificate files to my application's directory a good idea?

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain from-dawn.com

I ran this command:sudo certbot certonly --dns-route53 --dns-route53-propagation-seconds 30 -d from-dawn.com --agree-tos -m blablabla@gmail.com --config-dir ~/hqyc/credentials -n

It produced this output:

My web server is (include version):Cherrypy

The operating system my web server runs on is (include version):Ubuntu

My hosting provider, if applicable, is:aws

I can login to a root shell on my machine (yes or no, or I don't know):yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):latest

After running this command the downloaded (symbolic link) files will be stored under my application's credentials/ directory. I wonder if this is a better idea than simply copying/moving from the same files from default directory without specifying --config-dir? Any security concerns for this?

2

Hi @niujh,

Copying is fine, but moving isn't because it will cause certbot renew to break.

You could also use the --deploy-hook feature in Certbot to cause a script to be run every time a certificate is issued or renewed, which can then be used to copy the new certificate and associated files to some other location.

3

Thanks. Could you please explain a little on the difference between --deploy-hook vs. --post-hook?

4

Sure! The Certbot manual explains it like this:

When Certbot detects that a certificate is due for renewal, --pre-hook and --post-hook hooks run before and after each attempt to renew it. If you want your hook to run only after a successful renewal, use --deploy-hook in a command like this.

6

This means that usually --pre-hook and --post-hook are used for things that are a special requirement or prerequisite for the renewal attempt itself (most often: changing a firewall rule to allow incoming connections, or temporarily shutting down the local web server to avoid port conflicts if using --standalone), while usually --deploy-hook is used for certificate installation/deployment purposes.