Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain from-dawn.com
I ran this command:sudo certbot certonly --dns-route53 --dns-route53-propagation-seconds 30 -d from-dawn.com --agree-tos -m firstname.lastname@example.org --config-dir ~/hqyc/credentials -n
It produced this output:
My web server is (include version):Cherrypy
The operating system my web server runs on is (include version):Ubuntu
My hosting provider, if applicable, is:aws
I can login to a root shell on my machine (yes or no, or I don't know):yes
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot):latest
After running this command the downloaded (symbolic link) files will be stored under my application's
credentials/ directory. I wonder if this is a better idea than simply copying/moving from the same files from default directory without specifying
--config-dir? Any security concerns for this?
Copying is fine, but moving isn't because it will cause
certbot renew to break.
You could also use the
--deploy-hook feature in Certbot to cause a script to be run every time a certificate is issued or renewed, which can then be used to copy the new certificate and associated files to some other location.
Thanks. Could you please explain a little on the difference between
Sure! The Certbot manual explains it like this:
When Certbot detects that a certificate is due for renewal,
--post-hook hooks run before and after each attempt to renew it. If you want your hook to run only after a successful renewal, use
--deploy-hook in a command like this.
This means that usually
--post-hook are used for things that are a special requirement or prerequisite for the renewal attempt itself (most often: changing a firewall rule to allow incoming connections, or temporarily shutting down the local web server to avoid port conflicts if using
--standalone), while usually
--deploy-hook is used for certificate installation/deployment purposes.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.