README: Document where files are written and read from #54

New Issue

adam · 2025-12-29T00:23:34+01:00

adam commented

2025-12-29 00:23:34 +01:00

Originally created by @nomeata on GitHub (Feb 7, 2016).

From reading the README, I could not gather this information:

Where is the domains.txt file searched for?
Where are the generated certificates written to, and with what file naming scheme? Is it compatible with the official client’s scheme?

Thanks,
Joachim

Originally created by @nomeata on GitHub (Feb 7, 2016). From reading the README, I could not gather this information: - Where is the `domains.txt` file searched for? - Where are the generated certificates written to, and with what file naming scheme? Is it compatible with the official client’s scheme? Thanks, Joachim

adam closed this issue

2025-12-29 00:23:35 +01:00

adam commented

2025-12-29 00:23:35 +01:00

@lukas2511 commented on GitHub (Feb 10, 2016):

Documentation in general should be worked on....

domains.txt is searched for in $BASEDIR, which is by default the directory with your config file
naming scheme is a bit different, where the official client had /etc/letsencrypt/live/example.org/... this script uses $BASEDIR/certs/example.org/....

Leaving this ticket open as a reminder to work on better documentation.

@lukas2511 commented on GitHub (Feb 10, 2016): Documentation in general should be worked on.... - domains.txt is searched for in `$BASEDIR`, which is by default the directory with your config file - naming scheme is a bit different, where the official client had `/etc/letsencrypt/live/example.org/...` this script uses `$BASEDIR/certs/example.org/...`. Leaving this ticket open as a reminder to work on better documentation.

adam commented

2025-12-29 00:23:36 +01:00

@zeroinformatique commented on GitHub (Mar 17, 2016):

Hi Lukas. Thanks for the script.
It's true that a better documentation would be nice. I'm not a SSL expert and I have no idea how to use your script. I created the http acme-challenge directory for my domains, filled config.sh ... what now?

Edit: I got it to work after a bit of fiddling and guess. It's a very nice script, does the job.
What I had to guess :
"--cron" is actually to start the script.
Once done with the test server, you have to delete all the certs + the private key and --cron again with the production server.
.pem and .crt are the same thing in Apache's config
How to create a user for the script, chown the folder and its content, then crontab -u letsencrypt -e
0 0 1 * * /opt/letsencrypt/letsencrypt.sh --cron

@zeroinformatique commented on GitHub (Mar 17, 2016): Hi Lukas. Thanks for the script. It's true that a better documentation would be nice. I'm not a SSL expert and I have no idea how to use your script. I created the http acme-challenge directory for my domains, filled config.sh ... what now? Edit: I got it to work after a bit of fiddling and guess. It's a very nice script, does the job. What I had to guess : "--cron" is actually to start the script. Once done with the test server, you have to delete all the certs + the private key and --cron again with the production server. .pem and .crt are the same thing in Apache's config How to create a user for the script, chown the folder and its content, then crontab -u letsencrypt -e 0 0 1 \* \* /opt/letsencrypt/letsencrypt.sh --cron

adam commented

2025-12-29 00:23:36 +01:00

@seefood commented on GitHub (Mar 17, 2016):

I'm also all for improved docs.
I tried to start with the official client back in September, but it was trying to do too much and screw up my nginx configs. I like the idea of a client that doesn't assume it can or should edit my webserver config files for me.

This week I was happy to find this script. I created the alias for the WK, and directed the config to an RSA4096 key I made, filled up my domains.txt and ran Lukas' script with -c, naiively hoping all will be magically well. It seems the script tried to create new keys for each domain, complained I had the wrong auth and such. do I need to do any registration with Let's Encrypt before I can use this script? what am I missing exactly?

@seefood commented on GitHub (Mar 17, 2016): I'm also all for improved docs. I tried to start with the official client back in September, but it was trying to do too much and screw up my nginx configs. I like the idea of a client that doesn't assume it can or should edit my webserver config files for me. This week I was happy to find this script. I created the alias for the WK, and directed the config to an RSA4096 key I made, filled up my domains.txt and ran Lukas' script with -c, naiively hoping all will be magically well. It seems the script tried to create new keys for each domain, complained I had the wrong auth and such. do I need to do any registration with Let's Encrypt before I can use this script? what am I missing exactly?

adam commented

2025-12-29 00:23:36 +01:00

@nickpearson commented on GitHub (Mar 17, 2016):

@seefood is your server configured to serve the ACME challenge files? See the $WELLKNOWN / challenge-response section of the README. If the server is not configured to serve the challenge files that letsencrypt.sh creates, then the domain validation will fail.

@nickpearson commented on GitHub (Mar 17, 2016): @seefood is your server configured to serve the ACME challenge files? See the [$WELLKNOWN / challenge-response](https://github.com/lukas2511/letsencrypt.sh#wellknown--challenge-response) section of the README. If the server is not configured to serve the challenge files that letsencrypt.sh creates, then the domain validation will fail.

adam commented

2025-12-29 00:23:37 +01:00

@seefood commented on GitHub (Mar 18, 2016):

Of course nick, it's the first thing I did :)
uma:/usr/local/LEsh# echo 123 > /var/www/letsencrypt/321
uma:/usr/local/LEsh# curl https://scso.com/.well-known/acme-challenge/321 --insecure
123

@seefood commented on GitHub (Mar 18, 2016): Of course nick, it's the first thing I did :) uma:/usr/local/LEsh# echo 123 > /var/www/letsencrypt/321 uma:/usr/local/LEsh# curl https://scso.com/.well-known/acme-challenge/321 --insecure 123

adam commented

2025-12-29 00:23:37 +01:00

@lukas2511 commented on GitHub (Mar 18, 2016):

@seefood how about reading README, which states that the file has to be reachable via http?

edit: sorry for maybe sounding a bit agressive. i'm just slightly annoyed when people don't even read what i already provide as documentation... :-/

@lukas2511 commented on GitHub (Mar 18, 2016): @seefood how about reading README, which states that the file has to be reachable via `http`? edit: sorry for maybe sounding a bit agressive. i'm just slightly annoyed when people don't even read what i already provide as documentation... :-/

adam commented

2025-12-29 00:23:37 +01:00

@seefood commented on GitHub (Mar 18, 2016):

you may have a point :) Fixed. Still, why generate a new key when I already set the key file in the config?

uma:/usr/local/LEsh# ./letsencrypt.sh  -c
# INFO: Using main config file /usr/local/LEsh/config.sh
Processing abramov.org with alternative names: ira.abramov.org images.abramov.org
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for abramov.org...
  + ERROR: An error occurred while sending post-request to https://acme-staging.api.letsencrypt.org/acme/new-authz (Status 403)

Details:
{"type":"urn:acme:error:unauthorized","detail":"No registration exists matching provided key","status":403}

@seefood commented on GitHub (Mar 18, 2016): you may have a point :) Fixed. Still, why generate a new key when I already set the key file in the config? ``` uma:/usr/local/LEsh# ./letsencrypt.sh -c # INFO: Using main config file /usr/local/LEsh/config.sh Processing abramov.org with alternative names: ira.abramov.org images.abramov.org + Signing domains... + Generating private key... + Generating signing request... + Requesting challenge for abramov.org... + ERROR: An error occurred while sending post-request to https://acme-staging.api.letsencrypt.org/acme/new-authz (Status 403) Details: {"type":"urn:acme:error:unauthorized","detail":"No registration exists matching provided key","status":403} ```

adam commented

2025-12-29 00:23:38 +01:00

@lukas2511 commented on GitHub (Mar 19, 2016):

@seefood the account-key (private_key.pem, outside of the certs directory) has to be registered at the configured CA, and that happens in letsencrypt.sh only after generating that key.

this will change in the (hopefully near) future.
temporary fix is to delete the old account-key and let letsencrypt.sh generate a new one.

up to now i didn't really find any downsides to just generating a new account-key.
as far as i know the only feature depending on it is revoking of a certificate you lost the key for.

@lukas2511 commented on GitHub (Mar 19, 2016): @seefood the account-key (`private_key.pem`, outside of the certs directory) has to be registered at the configured CA, and that happens in letsencrypt.sh only after generating that key. this will change in the (hopefully near) future. temporary fix is to delete the old account-key and let letsencrypt.sh generate a new one. up to now i didn't really find any downsides to just generating a new account-key. as far as i know the only feature depending on it is revoking of a certificate you lost the key for.

adam commented

2025-12-29 00:23:38 +01:00

@seefood commented on GitHub (Mar 19, 2016):

well. I got all the domains the working certs with the test registry, pointed at the real registry URL and tried running again. all the certs were of course too new (I set to 60 days) so no new certs were generated. I then did rm -rf certs and ran again, now I get {"type":"urn:acme:error:unauthorized","detail":"No registration exists matching provided key","status":403} Again. moved the account key aside, allowed a new one to be created (why don't they accept keys longer than 4096?) and now it all seems to be fine.
I'll try to send a patch to the README soon, once I'm more confident I'm understanding all the steps. Thanks!

@seefood commented on GitHub (Mar 19, 2016): well. I got all the domains the working certs with the test registry, pointed at the real registry URL and tried running again. all the certs were of course too new (I set to 60 days) so no new certs were generated. I then did rm -rf certs and ran again, now I get `{"type":"urn:acme:error:unauthorized","detail":"No registration exists matching provided key","status":403}` Again. moved the account key aside, allowed a new one to be created (why don't they accept keys longer than 4096?) and now it all seems to be fine. I'll try to send a patch to the README soon, once I'm more confident I'm understanding all the steps. Thanks!

adam commented

2025-12-29 00:23:38 +01:00

@lukas2511 commented on GitHub (Mar 26, 2016):

I just commited reorganized docs, added a tiny troubleshooting guide with the most common issues, and added a getting started section to readme.

Definitively needs more work, but I think it's a good starting point.

@lukas2511 commented on GitHub (Mar 26, 2016): I just commited reorganized docs, added a tiny troubleshooting guide with the most common issues, and added a getting started section to readme. Definitively needs more work, but I think it's a good starting point.

adam commented

2025-12-29 00:23:38 +01:00

@lukas2511 commented on GitHub (Jan 29, 2017):

This should all be documented now, finally closing this ticket :)

@lukas2511 commented on GitHub (Jan 29, 2017): This should all be documented now, finally closing this ticket :)

adam referenced this issue

2025-12-29 01:28:27 +01:00

[PR #54] [MERGED] fix: --domain/-d is a parameter and not a command! #686

Sign in to join this conversation.