Precise the certificate naming convention mechanism in the compatibility document (#8652)

* Precise the certificate naming convention mechanism in a note. * Add certificate name convention in user guide, refer to it in compatibility page. * Update certbot/docs/compatibility.rst Co-authored-by: alexzorin <alex@zor.io> * Update certbot/docs/using.rst Co-authored-by: alexzorin <alex@zor.io> * Update certbot/docs/using.rst Co-authored-by: alexzorin <alex@zor.io> * Improve the note about naming conventions Co-authored-by: alexzorin <alex@zor.io>
2026-06-09 08:42:57 -04:00 · 2021-03-21 22:39:54 +01:00 · 2021-03-21 22:39:54 +01:00 · 6bc8b3d2ba
commit 6bc8b3d2ba
parent 40ae5d939e
2 changed files with 21 additions and 9 deletions
--- a/certbot/docs/compatibility.rst
+++ b/certbot/docs/compatibility.rst
@ -21,9 +21,9 @@ may change at any time. The second is that Certbot's behavior should only be
 considered stable with certain files but not all. Files with which users should
 expect Certbot to maintain its current behavior with are:

-* ``/etc/letsencrypt/live/<domain>/{cert,chain,fullchain,privkey}.pem`` where
-  ``<domain>`` is the name given to ``--cert-name``. If ``--cert-name`` is not
-  set by the user, it is the first domain given to ``--domains``.
+* ``/etc/letsencrypt/live/$domain/{cert,chain,fullchain,privkey}.pem``, where
+  ``$domain`` is the certificate name (see :ref:`where-certs`
+  for more details)
 * :ref:`CLI configuration files <config-file>`
 * Hook directories in ``/etc/letsencrypt/renewal-hooks``

--- a/certbot/docs/using.rst
+++ b/certbot/docs/using.rst
@ -717,12 +717,24 @@ Where are my certificates?
 ==========================

 All generated keys and issued certificates can be found in
-``/etc/letsencrypt/live/$domain``. In the case of creating a SAN certificate
-with multiple alternative names, ``$domain`` is the first domain passed in
-via -d parameter. Rather than copying, please point
-your (web) server configuration directly to those files (or create
-symlinks). During the renewal_, ``/etc/letsencrypt/live`` is updated
-with the latest necessary files.
+``/etc/letsencrypt/live/$domain``, where ``$domain`` is the certificate
+name (see the note below). Rather than copying, please point your (web)
+server configuration directly to those files (or create symlinks).
+During the renewal_, ``/etc/letsencrypt/live`` is updated with the latest
+necessary files.
+
+.. note::
+  The certificate name ``$domain`` used in the path ``/etc/letsencrypt/live/$domain``
+  follows this convention:
+
+  * it is the name given to ``--cert-name``,
+  * if ``--cert-name`` is not set by the user it is the first domain given to
+    ``--domains``,
+  * if the first domain is a wildcard domain (eg. ``*.example.com``) the
+    certificate name will be ``example.com``,
+  * if a name collision would occur with a certificate already named ``example.com``,
+    the new certificate name will be constructed using a numerical sequence
+    as ``example.com-001``.

 For historical reasons, the containing directories are created with
 permissions of ``0700`` meaning that certificates are accessible only