Certbot ignores webroot folder

Question

Running this command from root,

certbot certonly --webroot -w /home/myuser/myfolder/public/ -d subdomain.my.site

Certbot doesn't care about this folder and proceeds to put certificates somewhere else:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/subdomain.my.site/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/subdomain.my.site/privkey.pem

Why? I like really need them in that folder, my web server shouldn't have access to /etc/

I also expected certbot to create all these .well-known/acme-challenge/whatever folders

Because it is going to expire sometimes and it would be sad to move files by hand

Also the web server is express so this is why I'm not using predefined options like certbot apache2 :(

UPD. this is the guide I was trying to follow - https://www.sitepoint.com/how-to-use-ssltls-with-node-js/

So how am I supposed to access /etc/... if I'm running an express server without any root

Answer 1

The webroot option for certbot is for telling certbot which directory for the .wellknown-folder during the http challegenge.

Certbot itself does not have a way to change the location, where it stores the requested certs.

Either copy them yourself, or consider using another tool like dehydrated where you can choose where the certs are stored.