[Feature request] Adding support for an atomic key, certificate and chain file

[nagmat84]

As of today, Certbot creates the following four files per certificate

• cert.pem
• chain.pem
• fullchain.pem
• privkey.pem

For certain application (e.g. Postfix) a single file which contains everything, i.e. private key, own certificate, chain, in that order would be beneficial. For example, Postfix picks up a new certificate (or private key for that matter) without reloading the daemon. However, it is necessary that the information is updated in an atomic manner. If the file private key and the certificates are stored in individual files, it might happen that Postfix reads a private key and certificate which do not match (of course depending on circumstances and timing).

See Postfix Configuration Parameters – smtpd_tls_chain_files:

Storing the private key in the same file as the corresponding certificate is more reliable. With the key and certificate in separate files, there is a chance that during key rollover a Postfix process might load a private key and certificate from separate files that don't match.

It would be nice, if certbot could also create a fifth file which provides everything.

[osirisinferi]

This has been requested many times before, the first one back in 2015 already:

#1201

#5643

#5087

Those issues also have very simple workarounds using simple scripts in deploy hooks. (Not that different than your own line of code, but using a deploy hook is key here to automate things.)

But I'm going to close this issue as a duplicate now, as the last issue I mentioned above is still open.