2

Where is the cli.ini file for default letsencrypt package?

From Let's Encrypt docs, it's possible to set default rsa key length in a cli.ini file, however, I cannot find this file.

I want to make sure that all my certs have the same key size as I initially started with the default setup, but I increased my last certificate's key length with certbot renew --rsa-key-size 3072 --nginx.

By changing this in cli.ini it would be global and I wouldn't have to worry about it.

I also noticed that there is a certbot cronjob in /etc/cron.d. Can I append --nginx to the command safely?

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew

would be

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew --nginx

Thanks awesomes!

Jayd
  • 73
  • 1
  • 4

1 Answers1

4

Where is the cli.ini file for default letsencrypt package?

According to the documentation: “By default, the following locations are searched: /etc/letsencrypt/cli.ini, $XDG_CONFIG_HOME/letsencrypt/cli.ini (or ~/.config/letsencrypt/cli.ini if $XDG_CONFIG_HOME is not set).” The file does not necessarily exist by default, but you can certainly create it in one of the searched locations.

I also noticed that there is a certbot cronjob in /etc/cron.d. Can I append --nginx to the command safely?

As this is a supported option, there should be no actual problem in adding it to the cron job, supposing you are actually running a nginx server. However, as the documentation states that all available command-line options can be configured in the cli.ini file, rather put it there too, for two main reasons: (a) clarity — better keep all configuration in a single place rather than specifying the key size in a config file and the used server in the cron job, and (b) updates — if the cron job has been created by a package manager (or any other form of installer), a future version might overwrite your changes, although most package managers warn users for modified configuration files that would get overwritten.

Ale
  • 1,703
  • 17
  • 25
  • Thanks, I alos missed that line `The file does not necessarily exist by default` ;) - Thanks for the tips, I'll put everything in that file. – Jayd Jun 29 '17 at 01:09
  • 1
    The "does not exist by default part" was *not* in the documentation ;) – Ale Jun 29 '17 at 08:30