Issue with acme keys

I’m trying to add this certificate key file to a service of mine. I used acme to create a certificate for my domain and when in /etc/letsencrypt I can only find these files:

mydomain.com.conf
mydomain.com.csr
mydomain.com.csr.conf
mydomain.com.key

The mydomain.com.key is my private rsa key but it doesn’t list my “Certificate” (PEM) file which my service requires? Where can I find this key?

Once you have issued a certificate with Certbot, it goes into a directory within /etc/letsencrypt/live/.

Here is the documentation from Certbot:

$ cat /etc/letsencrypt/live/foobar.org/README
This directory contains your keys and certificates.

privkey.pem : the private key for your certificate.
fullchain.pem: the certificate file used in most server software.
chain.pem : used for OCSP stapling in Nginx >=1.3.7.
cert.pem : will break many server configurations, and should not be used
without reading further documentation (see link below).

WARNING: DO NOT MOVE OR RENAME THESE FILES!
Certbot expects these files to remain in this location in order
to function properly!

We recommend not moving these files. For more information, see the Certbot
User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.

1 Like

Oh, did you mean that you used acme.sh (https://github.com/Neilpang/acme.sh)?

With acme.sh, there are two separate steps you need to perform.

I assume you have already done the acme.sh --issue part. This drops the certificate and private key files within ~/.acme.sh/example.com/ (substitute your domain). For example, in there you’ll find fullchain.cer and example.com.cer, and you’ll usually use the former.

If you can find the .csr file but you can’t find the fullchain.cer file in that directory, it means that acme.sh did not issue a certificate - it failed and you’ll need to look at the previous output of acme.sh --issue to identify why.

One more thing: you’re not supposed to directly use the files in the ~/.acme.sh directory. You need to follow up with an acme.sh --install command, which will copy the relevant files to a location of your choice, and reload your webserver.

You can see some examples and explanation on the acme.sh README: https://github.com/Neilpang/acme.sh#3-install-the-cert-to-apachenginx-etc

1 Like

Hey, yes I did use acme.sh.

I assume you have already done the acme.sh --issue part. This drops the certificate and private key files within ~/.acme.sh/example.com/ (substitute your domain). For example, in there you’ll find fullchain.cer and example.com.cer , and you’ll usually use the former.

That’s the thing I can’t find anything of the sort only what I’ve listed in my OP.

mydomain.com.conf
mydomain.com.csr
mydomain.com.csr.conf
mydomain.com.key

If you can find the .csr file but you can’t find the fullchain.cer file in that directory, it means that acme.sh did not issue a certificate - it failed and you’ll need to look at the previous output of acme.sh --issue to identify why.

I issued the certificate it via nginx and it appears it did work because another one of my subdomains has https, but when I look into the folder like you mentioned it has the same structure of items that I previously listed. I think it creates it automatically, but if you want it to add it to a service manually then this falls apart.

Well, if you think that acme.sh is issuing certificates for nginx, you can check what certificates paths nginx is using:

nginx -T | grep -i ssl_certificate

What worries me about your original post is that /etc/letsencrypt/ is the directory used by Certbot, not acme.sh. On the other hand, the .csr files are generated by acme.sh, not Certbot.

You could also try:

acme.sh --list
certbot certificates
3 Likes

The default location for acme.sh to store certs is:
/root/.acme.sh/yourdomain.name/
for certbot it’s:
/etc/letsencrypt/live/yourdomain.name/
[which links to actual files - use links]

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.