Best way to migrate and create letsencrypt certs on new server


#1

My domain is:
beinglibertarian.com, media.beinglibertarian.com, memes.beinglibertarian.com, think-liberty.com, rationalstandard.com
I ran this command:
certbot renew --dry-run

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/beinglibertarian.com-0001.conf


Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 64, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File “/usr/lib/python3/dist-packages/certbot/storage.py”, line 439, in init
self._check_symlinks()
File “/usr/lib/python3/dist-packages/certbot/storage.py”, line 498, in _check_symlinks
“expected {0} to be a symlink”.format(link))
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/beinglibertarian.com-0001/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/beinglibertarian.com-0001.conf is broken. Skipping.


Processing /etc/letsencrypt/renewal/media.beinglibertarian.com.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for media.beinglibertarian.com
Waiting for verification…
Cleaning up challenges


new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/media.beinglibertarian.com/fullchain.pem



** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/media.beinglibertarian.com/fullchain.pem (success)

Additionally, the following renewal configuration files were invalid:
/etc/letsencrypt/renewal/beinglibertarian.com-0001.conf (parsefail)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


0 renew failure(s), 1 parse failure(s)

My web server is (include version):
Nginx 1.14(EasyEngine)

The operating system my web server runs on is (include version):
Ubuntu 18.04

My hosting provider, if applicable, is:
Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

So I am trying to migrate letsencrypt from a current production server running beinglibertarian.com on a LEMP stack with Ubuntu 16.04 to a new VPS running Ubuntu 18.04 and PHP 7.2, it currently is running media.beinglibertarian.com on there and is live with a developer tweaking the wordpress for the multimedia team. However after migrating the certificate it gives me this error, how can I resolve it so I can finish the Wordpress migration of the main beinglibertarian.com site.
Also how can I go about adding the additional domain(s) TLS to the server, as we have acquired two more entities think-liberty.com and rationalstandard.com they want to move over to our VPS, one of which currently has a TLS of their own their managed provider and the other doesn’t have one.
Because I want them to be able to be auto-updating their certificates like the main site does and media does as well as the upcoming memes site.


#2

Honestly, it’s probably easier to start from scratch on the new server. There’s no real need to migrate them - it’s not like you’re paying or anything.

The reason this failed is that however you migrated the /etc/letsencrypt directory did not preserve symlinks. The structure of this directory is really important, and Certbot is very specific about it.


#3

how can I copy it whilst preserving symlinks


#4

Likely with rsync -a, but I’ll echo the opinion that it’s almost always much easier to simply start over with a new certificate on the new machine.