Certbot seems to manage X.509 certificates and private keys in its own directory structure in /etc/letsencrypt.
On Debian-based systems (including Ubuntu, Linux Mint and others) X.509 certificates are classically stored in /etc/ssl/certs and private keys in /etc/ssl/private. The certificates are normally world-readable and the private keys are restricted to the ssl-cert group and may also be readable by specific service users.
Is there an established way to make Certbot respect the classic Debian structure? Maintaining links to the classic directories would probably be enough in addition to manage file ownership and group assignment for services.
I could imagine configuration options to do this, but also imagine there might be any installer plugins around for that task, but I just couldn't find anything about this.
If I were to do this I would leave the
/etc/letsencrypttree exactly as it is (because anyone seeing the use of LE would expect it) and then use my configuration management tooling to create symlinks in the/etc/ssltree as appropriate to point to the symlinks in/etc/letsencrypt/live/CERTNAMEdirectory.The documenation does mention changing file locations too but I don't know if it will be possible to do what you want.