8

I have a server out there that supports HTTPS using a certbot/letsencrypt certificate.

I am doing a general software upgrade so to minimize risks and downtime, I'm installing new releases on a new server on which I import the live server data for tests. When everything works I'll have the DNS record changed to point to the new server.

My question is what should I do for the certificate? Can I just copy over the existing one and let it get renewed when necessary? Or will the certificate be incompatible and/or LE will complain that the address has changed during the auto-renewal process? Will LE be sensitive to reverse DNS (it may take some more delay for the reverse DNS to work). Is there any other problem I didn't think about?

Improve this question
1
  • Note that forgetting to update the DNS record to the new IP would lead to SSL_ERROR_BAD_CERT_DOMAIN errors when trying to reuse existing certificate on the new machine (and all services using your domain would still point to the old machine). Commented Oct 16, 2022 at 9:15

3 Answers 3

Reset to default
11

By default, Certbot/Letsencrypt stores their configuration files and generated certificates in /etc/letsencrypt. So you just need to install Certbot into the new server and copy the directory from the old one. Of course you're gonna have to configure the webserver (Apache, Nginx, whatever you're using), pointing to the certificates in the new server.

Improve this answer
2
  • 3
    To add to this, moving the /etc/letsencrypt directory moves the private keys and the validation config as well, so certbot renew will "just work". I did just that a week ago, so the memory is still fresh. Commented Jan 13, 2020 at 19:58
  • If you are on Windows make sure to tar the folder, move archive and unpack to keep symlinks. Simple files copy to desktop will follow symlink and place a live file instead. Commented Jul 25 at 10:52
2

You can copy the certificate across it will work. Maybe configure the current server as reverse proxy to the other server and you'll be sorted until you make the final move. I hope I could help :)

Improve this answer
1
  • 1
    A couple more files is worth preserving, namely: 1. the account URL and private key (which sit in /etc/letsencrypt/account), if you lose them there is no way to administer your existing certificates, though requesting a new certificate for the same domain name might automatically revoke the old one 2. the renewal parameters in /etc/letsencrypt/renewal, although if you lose them, you can recreate them. Commented Jan 13, 2020 at 20:20
0

For those of you that are migrating from one server to another server - where Let's encrypt certbot already exists, I can share my recent experience.

First I've updated NginX config in the new server, where I've created new server block with the config from old server. But I've changed the ssl_certificate and ssl_certificate_key path to match existing paths.

Then I've changed the DNS records - which made my server return invalid certificate for a brief moment!

Lastly I've run:

certbot --nginx

Which created new certificate for existing + new domain.

The total down time was less than 1 minute.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.