Save cert in different folder


#1

My server runs nginx in a chroot jail. I’ve successfully created the certificates using the certonly --manual options. The problem I’m facing is that the certificates are placed in the /etc/letsencrypt/live/domain/ directory (actually symlinked to /etc/letsencrypt/archive), which is outside of my chroot jail (located at /srv/http). So I cannot symlink to them.

Is there a way to save/place the certificates directly in a different folder whenever I make/renew them? If not, what would be a secure way to place them in the chroot jail? Simply copying them? The manual discourages this and would rather have me “point your (web) server configuration directly to those files (or createsymlinks)”. As explained this is not possible because of the jail.


#2

Can you make a bind mount from /etc/letsencrypt to your jailed structure? That would be the easiest way that I can think of.


#3

Thanks motoko, this seems to be the easiest way to do it. However, any changes inside the jail will now also be apparent in the real file system.

So before I received your answer I just manually copied the required certificates to the chroot jail. I changed the owner to my jail user and I made the permissions a more restrictive. Although this method takes a bit more work I think it is a bit “safer”.