Where can I find the location in Apache2 for cert, key, and chain?

I am using an Apache2 server on a Ubuntu 14 OS and acme.sh to download and install certs from let's encrypt. In the acme.sh docs, it is written that to install in apache, run the below:

acme.sh --install-cert -d example.com \
--cert-file      /path/to/certfile/in/apache/cert.pem  \
--key-file       /path/to/keyfile/in/apache/key.pem  \
--fullchain-file /path/to/fullchain/certfile/apache/fullchain.pem \
--reloadcmd     "service apache2 force-reload"

However, I do not know the location to put in the above command. Any ideas?

Having said that, I manually edited the conf file in site-enabled folder in apache2 and put the path of the downloaded cert there and it works fine. My website is now being served with https. But I wanted the acme.sh command to install it for me, hence, the question.

Thanks for the help.


Hi @rampatra, and welcome to the LE community forum :slight_smile:

I hate to come off as being negative, but your topic is clearly an acme-sh usage question; One that should be asked directly to their support.
It also indirectly references Apache - which is also not directly covered by this forum.

So, from this perspective, it sums to:
How can I use this third-party ACME client with this other third-party web server?
And although I'm sure plenty here know exactly how to do that, this is not the place for such a question to be asked and even less of a place for it to be answered; as that answer would likely never benefit any others with such a similar problem.
[which is a very large purpose of community forums - helping as many as quickly as possible]

1 Like

Yes, I thought the same after posting it here. I dropped a few other queries for them on GitHub. I will ask this too there.

I couldn’t delete this post here but if you have the privilege then please go ahead.

1 Like

Sorry, but this weird treatment of acme.sh is seriously getting on my nerves. acme.sh questions are certainly welcome here in my opinion and there are many users here who are familiar with it and can help. This isn't a Certbot-only forum.

You can put whatever paths you want; it is totally user-defined.

The idea in the acme.sh --install-cert command is to copy the certificate into a well-known place, chosen by the user.

Loading it from ~/.acme.sh/ is documented to be risky, because the software might one day change the internal structure of that directory.

So, you could just say:

 acme.sh --install-cert -d example.com \
--fullchain-file /etc/apache2/fullchain.pem \
--key-file /etc/apache2/privkey.pem \
--reloadcmd "service apache2 force-reload"

and that would be enough. It's not really important whether it goes in /etc/apache2 or somewhere else of your choosing.

What this command won't do is actually configure Apache to use the certificate. You will still need to open up the Apache configuration files and configure the certificate yourself.

https://ssl-config.mozilla.org can help you to find a suitable configuration and, with the example above, the paths you would use are:

SSLCertificateFile /etc/apache2/fullchain.pem
SSLCertificateKeyFile /etc/apache2/privkey.pem

I repeat myself:

@rampatra, if you do find an answer that works, please post that answer in the correct forum for others to benefit from it.

1 Like

Welcome to the Let's Encrypt Community, Ram :slightly_smiling_face:

For me, you stated the magic words in your first sentence. There has been a growing divide here lately due to acme.sh being owned by a for-profit CA and switching to acquire certificates from that for-profit CA by default. Many of us have frequently struggled with, in the opinion of many of us here, the less than useful documentation of acme.sh. To this end, @rg305 is simply following direct guidance from the Let's Encrypt staff (as is @_az). As for the matter at hand, I have nothing more to offer than what @_az has already stated.


Wow! I totally missed that part :frowning:

Using the /etc/apache location for acme.sh to store certs would insure that Apache can have access to those files.
I would take it one step at a time though.
First make sure acme.sh can place renewed certs there before making any modifications to Apache.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.