Let's encrypt + certbot: where is the private key

13

5

I've been using openssl to create key and certificate for my website. Which works fine, but leads to complaints from the browser.

Now I would like to move to Let's Encrypt to get a proper certificate.

The setup was very simple, I installed certbot and followed the tutorial on their website.

I was surprised to read that certbot is supposed to be used with a flag certonly. Intuitively, this should mean that only a certificate is created. It should ask me for an existing key during the setup. Which is doesn't, instead, it creates both a new certificate and a new key.

sudo certbot certonly --standalone -d xxxx

...

Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

....

But this key doesn't seem to exist. If I enter the path into my server, it complains about not finding the key.

I had problems with read permissions on my certificate, solved by this question: https://serverfault.com/questions/773440/lets-encrypt-ssl-certificate-file-not-found-error-but-still-working

The solution was to change access rights.

But I'm hesitant to do that with my private key. Internet security is so complex, I'm afraid I don't really know about the consequences of changing permissions regarding something as important as the private key.

How am I supposed to use the newly generated certificate. Where can I find the corresponding private key and do I have to apply additional configuration ?

lhk

Posted 2017-04-01T10:47:06.793

Reputation: 283

Whatever is trying to use your key needs to be able to read your key. There is absolutely no way around this. – Daniel B – 2017-04-01T10:58:27.170

1Certbot's certonly actually means "just get a certificate but don't configure it", as opposed to certbot run which actually configures Apache for you. (Many users, including myself, would prefer to avoid automated configuration editing – and of course not everyone uses Apache or nginx, either.) – user1686 – 2017-04-01T11:05:26.420

Answers

22

Ignore the csr and keys dirs; they essentially just contain temporary files during issuance.

Certbot always puts the latest version of all certificates under /etc/letsencrypt/live:

/etc/letsencrypt/live
├── mail.example.org
│   ├── cert.pem -> ../../archive/mail.example.org/cert8.pem
│   ├── chain.pem -> ../../archive/mail.example.org/chain8.pem
│   ├── fullchain.pem -> ../../archive/mail.example.org/fullchain8.pem
│   └── privkey.pem -> ../../archive/mail.example.org/privkey8.pem
└── www.example.org
    ├── cert.pem -> ../../archive/www.example.org/cert7.pem
    ├── chain.pem -> ../../archive/www.example.org/chain7.pem
    ├── fullchain.pem -> ../../archive/www.example.org/fullchain7.pem
    └── privkey.pem -> ../../archive/www.example.org/privkey7.pem

Therefore you would configure services like this:

SSLCertificateFile     /etc/letsencrypt/live/www.example.org/fullchain.pem
SSLCertificateKeyFile  /etc/letsencrypt/live/www.example.org/privkey.pem

This way, services only need to be reloaded, not reconfigured, after every renew. Use certbot's "deploy hook" feature to automate permission changes, service reloads, and anything else that needs automating.

user1686

Posted 2017-04-01T10:47:06.793

Reputation: 283 655

Asked: 2017-04-01T10:47:06.793

Viewed: 23 231 times

Active: 2017-10-19T16:21:09.273