Running multiple ec2 instances wanting to store certs on EFS

ToddG · May 25, 2020, 6:02pm

Hi,

I am looking to run multiple nginx servers, currently only one will be running certbot, but I am trying to store the letsencrypt certs onto a different hdd than the letsencrypt. Can I change the /etc/letsencrypt path? Is there a config? the different hdd is automatically shared between all the nginx servers, so they would all load the same cert files.

Thanks,

Osiris · May 25, 2020, 6:13pm

Yes.

If you mean an option for certbot to change that: yes. Please see the output of certbot --help all.

I do not know if those path option(s) are stored in a renewal file. I'm guessing it's not possible to add it to cli.ini, as that configuration file is stored in the configuration directory. So that would lead to a catch 22.

ToddG · May 25, 2020, 6:16pm

correction certbot-auto, i do not see a --config in the certbot-auto --help

Osiris · May 25, 2020, 6:18pm

certbot-auto is just a wrapper script, it should pass thru the output of the underlying certbot. Did you try certbot-auto --help all? Or just check the site I linked to.

ToddG · May 25, 2020, 6:21pm

I missed the all, I see it now, thank you, I looked at the link but I think i have what I need, thank you Osiris!

ToddG · May 25, 2020, 8:30pm

  -c CONFIG_FILE, --config CONFIG_FILE
                    path to config file (default: /etc/letsencrypt/cli.ini
                    and ~/.config/letsencrypt/cli.ini)

I do not see a cli.ini file anywhere, I tried copying the letsencrypt folder to my volume, and I scanned for cli.ini, but I am not finding a config file.

Thanks.

ToddG · May 25, 2020, 8:33pm

gist.github.com

https://gist.github.com/antillean/8517fba47df25a98100a

letsencrypt-cli.ini

# Becomes /etc/letsencrypt/cli.ini.

# This is an example of the kind of things you can do in a configuration file.
# All flags used by the client can be configured here. Run Let's Encrypt with
# "--help" to learn more about the available options.

# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096

# Uncomment and update to register with the specified e-mail address

This file has been truncated. show original

mnordhoff · May 25, 2020, 9:24pm

Check out the --config-dir option, and maybe some of the other related options. (Like, for example, --work-dir.)

I’m not sure you need --config. I’m not sure you can use --config.

Most Certbot packages don’t create a /etc/letsencrypt/cli.ini file by default, since the defaults are fine. But I don’t know if creating a file in /etc/letsencrypt/ saying "don’t use /etc/letsencrypt/" works.

Using the home directory config file location might be good, if that works for you.

Or always remembering to set the options on the command line.

Or maybe sym linking or bind mounting /etc/letsencrypt/, so everything can just use the default paths?

ToddG · May 26, 2020, 1:33pm

Or maybe sym linking or bind mounting /etc/letsencrypt/ , so everything can just use the default paths?

AWESOME IDEA! I have copied the letsencrypt folder to my efs volume, and I am going to make the deployment make a symlink to that folder! that should work! thank you so much for the idea!

system · June 25, 2020, 1:33pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.