What I ended up doing:
mkdir ~/cert && mkdir ~/cert/work-dir && mkdir ~/cert/logs-dir && certbot certonly --standalone --tls-sni-01-port 8443 --http-01-port 8080 -d 'domain.com' -m 'xyz@gmail.com' --config-dir ~/cert --agree-tos --no-eff-email --work-dir ~/cert/work-dir --logs-dir ~/cert/logs-dir
Handle everything within my home directory and run the certbot with all dirs linked to that. This way you don't need to sudo the certbot anymore, which somehow feels like the right thing to do (imho).
(OT) What this command does:
- Make a dir called
cert
in the home directory and also the work and log dir that certbot requires.
- Agree to all terms so the command will not block at any point. Also do a force renewal, even if the cert is not yet due for renewal (so do not spam this command!).
- Set the log dir
- Change the port where the certbot is listening on, because my webserver does not run with sudo, which makes it impossible to use port 80. All incoming traffic is rerouted to the port 8080 and 8443 by my firewall.
- The command can be spammed without using a
renewal
script. Just put it into a cronjob that runs every month or so.
4Lets encrypt doesn't put the certificates anywhere, it's a script you're running. Maybe certbot? You probably should check its configuration. Furthermore you could easily symlink that directory or change the permissions for the folder appropriately.
/etc
should be readable. – Seth – 2020-01-02T10:57:28.383