Let's encrypt + certbot: where is the private key
Ignore the csr
and keys
dirs; they essentially just contain temporary files during issuance.
Certbot always puts the latest version of all certificates under /etc/letsencrypt/live
:
/etc/letsencrypt/live ├── mail.example.org │ ├── cert.pem -> ../../archive/mail.example.org/cert8.pem │ ├── chain.pem -> ../../archive/mail.example.org/chain8.pem │ ├── fullchain.pem -> ../../archive/mail.example.org/fullchain8.pem │ └── privkey.pem -> ../../archive/mail.example.org/privkey8.pem └── www.example.org ├── cert.pem -> ../../archive/www.example.org/cert7.pem ├── chain.pem -> ../../archive/www.example.org/chain7.pem ├── fullchain.pem -> ../../archive/www.example.org/fullchain7.pem └── privkey.pem -> ../../archive/www.example.org/privkey7.pem
Therefore you would configure services like this:
SSLCertificateFile /etc/letsencrypt/live/www.example.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.example.org/privkey.pem
This way, services only need to be reloaded, not reconfigured, after every renew. Use certbot's "deploy hook" feature to automate permission changes, service reloads, and anything else that needs automating.
Related videos on Youtube
lhk
Updated on September 18, 2022Comments
-
lhk over 1 year
I've been using
openssl
to create key and certificate for my website. Which works fine, but leads to complaints from the browser.Now I would like to move to Let's Encrypt to get a proper certificate.
The setup was very simple, I installed certbot and followed the tutorial on their website.
I was surprised to read that
certbot
is supposed to be used with a flagcertonly
. Intuitively, this should mean that only a certificate is created. It should ask me for an existing key during the setup. Which is doesn't, instead, it creates both a new certificate and a new key.sudo certbot certonly --standalone -d xxxx ... Waiting for verification... Cleaning up challenges Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem ....
But this key doesn't seem to exist. If I enter the path into my server, it complains about not finding the key.
I had problems with read permissions on my certificate, solved by this question: https://serverfault.com/questions/773440/lets-encrypt-ssl-certificate-file-not-found-error-but-still-working
The solution was to change access rights.
But I'm hesitant to do that with my private key. Internet security is so complex, I'm afraid I don't really know about the consequences of changing permissions regarding something as important as the private key.
How am I supposed to use the newly generated certificate. Where can I find the corresponding private key and do I have to apply additional configuration ?
-
Daniel B about 7 yearsWhatever is trying to use your key needs to be able to read your key. There is absolutely no way around this.
-
user1686 about 7 yearsCertbot's
certonly
actually means "just get a certificate but don't configure it", as opposed tocertbot run
which actually configures Apache for you. (Many users, including myself, would prefer to avoid automated configuration editing – and of course not everyone uses Apache or nginx, either.)
-