Not Secure after certificate was issued

OP was using --work-dir=. --config-dir=. --logs-dir=. so the certificates are in whatever directory OP was in when Certbot was ran...

5 Likes

So, --config-dir changes path where certs are stored? I thought it was just the location for the config ini file. The default path for the other two isn't /etc/letsencrypt so doesn't seem like they would affect cert location.

--config-dir CONFIG_DIR  Configuration directory. (default: /etc/letsencrypt)
--work-dir WORK_DIR   Working directory. (default: /var/lib/letsencrypt)
--logs-dir LOGS_DIR   Logs directory. (default: /var/log/letsencrypt)
3 Likes

My original cmd was copied from somewhere (and I didn't fully understand all parts of it), so this line is optional:
--work-dir=. --config-dir=. --logs-dir=.
Without it, it would make any subsequent troubleshooting easier.

root@certbot:/home/ubuntu# ll
total 164
drwxr-x--- 14 ubuntu ubuntu 4096 Jan 22 14:16 ./
drwxr-xr-x 4 root root 4096 Jan 20 22:50 ../
-rw------- 1 ubuntu ubuntu 38 Jan 22 02:02 .bash_history
-rw-r--r-- 1 ubuntu ubuntu 220 Jan 6 2022 .bash_logout
-rw-r--r-- 1 ubuntu ubuntu 3771 Jan 6 2022 .bashrc
drwx------ 2 ubuntu ubuntu 4096 Jan 20 23:17 .cache/
-rw-r--r-- 1 ubuntu ubuntu 807 Jan 6 2022 .profile
drwx------ 2 ubuntu ubuntu 4096 Jan 20 22:50 .ssh/
-rw-r--r-- 1 ubuntu ubuntu 0 Jan 21 13:37 .sudo_as_admin_successful
drwx------ 3 root root 4096 Jan 21 13:58 accounts/
drwxr-xr-x 3 root root 4096 Jan 21 14:30 archive/
drwxr-xr-x 2 root root 4096 Jan 21 13:58 backups/
drwxrwxr-x 2 ubuntu ubuntu 4096 Jan 22 14:19 cert2/
drwxr-xr-x 2 root root 4096 Jan 21 14:27 csr/
drwx------ 2 root root 4096 Jan 21 14:27 keys/
-rw-r--r-- 1 root root 32934 Jan 21 14:30 letsencrypt.log
-rw-r--r-- 1 root root 20147 Jan 21 14:21 letsencrypt.log.1
-rw-r--r-- 1 root root 17577 Jan 21 14:14 letsencrypt.log.2
-rw-r--r-- 1 root root 14629 Jan 21 14:04 letsencrypt.log.3
-rw-r--r-- 1 root root 0 Jan 21 13:58 letsencrypt.log.4
drwxr-xr-x 3 root root 4096 Jan 21 14:30 live/
drwxr-xr-x 2 root root 4096 Jan 21 14:30 renewal/
drwxr-xr-x 5 root root 4096 Jan 21 13:58 renewal-hooks/
drwx------ 3 ubuntu ubuntu 4096 Jan 22 12:24 snap/

Now suppose I didn't do anything yet, I am just going to get the certificate for the very first time on this Ubuntu machine, what the command should look like? which has the potentials of auto renewal and easy management? I know there are many options and paths, but let's see one basic and professional statement please :slight_smile:

I tested --config-dir a little and, yes, it changes the default /etc/letsencrypt for many components such as accounts, archive, live, renewal and the rest.

Using --config-dir can easily cause problems so care must be used. For example, if you create a cert with --config-dir /some/folder you must then use --config-dir for other commands then too. Like

certbot certificates --config-dir /some/folder

In this thread, they used '.' so must run from same place as you got the cert or substitute the full path used if running certbot certificates from a different o/s working dir.

More importantly, the need to use --config-dir also applies to certbot renew !

Unless you have a specialized need for this kind of setup, I don't recommend using --config-dir

3 Likes

certbot certificates --config-dir /home/ubuntu
Yes, I see my certificate now :slight_smile:

You have to use a challenge method that allows automation. See (this topic) for an intro to challenges. You then can use any number of ACME clients to get a cert from Let's Encrypt. Certbot is just one and its docs show how to use these different challenges (start here).

I noted earlier that HTTP Challenge is often easier. Your server, Apex, does not have a built-in plug with Certbot so you could use the --webroot method. But this requires you to know your "document root" for your web server. If you were using a more commonly used system I could inform you better but I don't wish to learn Apex.

Most of the people helping on this forum are volunteers (like me). As is common among people, we don't always have the same opinion or knowledge base. For you, there is a learning curve involved in using certificates. And, in running server services. To minimize a learning curve you could choose a different hosting provider that offers built-in support for more features.

2 Likes

Thank you so much for the valuable info!
I always have the highest respect for volunteers, they are the true heroes, to keep the community alive and moving!
Again, thank you for all the links, I will review them one by one.
Sincerely appreciate your help!

3 Likes