2

Certbot seems to manage X.509 certificates and private keys in its own directory structure in /etc/letsencrypt.

On Debian-based systems (including Ubuntu, Linux Mint and others) X.509 certificates are classically stored in /etc/ssl/certs and private keys in /etc/ssl/private. The certificates are normally world-readable and the private keys are restricted to the ssl-cert group and may also be readable by specific service users.

Is there an established way to make Certbot respect the classic Debian structure? Maintaining links to the classic directories would probably be enough in addition to manage file ownership and group assignment for services.

I could imagine configuration options to do this, but also imagine there might be any installer plugins around for that task, but I just couldn't find anything about this.

aef
  • 1,745
  • 4
  • 25
  • 43
  • 1
    Don't. You should instead respect the certbot structure. – Michael Hampton Dec 10 '20 at 19:00
  • Any reason to prefer one over the other? I would argue that it is a lot of work and causes trouble to go against the standard given by all the packages in my Linux distribution. In addition, I don't see that the access rights management concerns are handled in any way by Certbot's approach. Also, as a long time Debian admin, I can imagine that it confuses people not to find the certs in their usual locations. I also think it is rather unusual to prefer the directory conventions of one software package against the ones of the whole software distribution. – aef Dec 10 '20 at 19:02
  • Also, this further locks me in to Certbot and makes a switch to a different ACME client much harder because all of my system services need to be touched. – aef Dec 10 '20 at 19:50

1 Answers1

3

If I were to do this I would leave the /etc/letsencrypt tree exactly as it is (because anyone seeing the use of LE would expect it) and then use my configuration management tooling to create symlinks in the /etc/ssl tree as appropriate to point to the symlinks in /etc/letsencrypt/live/CERTNAME directory.

The documenation does mention changing file locations too but I don't know if it will be possible to do what you want.

aef
  • 1,745
  • 4
  • 25
  • 43
user9517
  • 115,471
  • 20
  • 215
  • 297