Let's encrypt + certbot: where is the private key

Question

I've been using openssl to create key and certificate for my website. Which works fine, but leads to complaints from the browser.

Now I would like to move to Let's Encrypt to get a proper certificate.

The setup was very simple, I installed certbot and followed the tutorial on their website.

I was surprised to read that certbot is supposed to be used with a flag certonly. Intuitively, this should mean that only a certificate is created. It should ask me for an existing key during the setup. Which is doesn't, instead, it creates both a new certificate and a new key.

sudo certbot certonly --standalone -d xxxx

...

Waiting for verification...
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

....

But this key doesn't seem to exist. If I enter the path into my server, it complains about not finding the key.

I had problems with read permissions on my certificate, solved by this question: https://serverfault.com/questions/773440/lets-encrypt-ssl-certificate-file-not-found-error-but-still-working

The solution was to change access rights.

But I'm hesitant to do that with my private key. Internet security is so complex, I'm afraid I don't really know about the consequences of changing permissions regarding something as important as the private key.

How am I supposed to use the newly generated certificate. Where can I find the corresponding private key and do I have to apply additional configuration ?

Answer 1

Ignore the csr and keys dirs; they essentially just contain temporary files during issuance.

Certbot always puts the latest version of all certificates under /etc/letsencrypt/live:

/etc/letsencrypt/live
├── mail.example.org
│   ├── cert.pem -> ../../archive/mail.example.org/cert8.pem
│   ├── chain.pem -> ../../archive/mail.example.org/chain8.pem
│   ├── fullchain.pem -> ../../archive/mail.example.org/fullchain8.pem
│   └── privkey.pem -> ../../archive/mail.example.org/privkey8.pem
└── www.example.org
    ├── cert.pem -> ../../archive/www.example.org/cert7.pem
    ├── chain.pem -> ../../archive/www.example.org/chain7.pem
    ├── fullchain.pem -> ../../archive/www.example.org/fullchain7.pem
    └── privkey.pem -> ../../archive/www.example.org/privkey7.pem

Therefore you would configure services like this:

SSLCertificateFile     /etc/letsencrypt/live/www.example.org/fullchain.pem
SSLCertificateKeyFile  /etc/letsencrypt/live/www.example.org/privkey.pem

This way, services only need to be reloaded, not reconfigured, after every renew. Use certbot's "deploy hook" feature to automate permission changes, service reloads, and anything else that needs automating.