I've been using openssl to create key and certificate for my website.
Which works fine, but leads to complaints from the browser.
Now I would like to move to Let's Encrypt to get a proper certificate.
The setup was very simple, I installed certbot and followed the tutorial on their website.
I was surprised to read that certbot is supposed to be used with a flag certonly. Intuitively, this should mean that only a certificate is created. It should ask me for an existing key during the setup. Which is doesn't, instead, it creates both a new certificate and a new key.
sudo certbot certonly --standalone -d xxxx
...
Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem
....But this key doesn't seem to exist. If I enter the path into my server, it complains about not finding the key.
I had problems with read permissions on my certificate, solved by this question:
The solution was to change access rights.
But I'm hesitant to do that with my private key. Internet security is so complex, I'm afraid I don't really know about the consequences of changing permissions regarding something as important as the private key.
How am I supposed to use the newly generated certificate. Where can I find the corresponding private key and do I have to apply additional configuration ?
21 Answer
Ignore the csr and keys dirs; they essentially just contain temporary files during issuance.
Certbot always puts the latest version of all certificates under /etc/letsencrypt/live:
/etc/letsencrypt/live ├── mail.example.org │ ├── cert.pem -> ../../archive/ │ ├── chain.pem -> ../../archive/ │ ├── fullchain.pem -> ../../archive/ │ └── privkey.pem -> ../../archive/ └── ├── cert.pem -> ../../archive/ ├── chain.pem -> ../../archive/ ├── fullchain.pem -> ../../archive/ └── privkey.pem -> ../../archive/
Therefore you would configure services like this:
SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/This way, services only need to be reloaded, not reconfigured, after every renew. Use certbot's "deploy hook" feature to automate permission changes, service reloads, and anything else that needs automating.