Certificate portability to another server


#1

Hello,

so last week I issued a wildcard certificate for a domain. We are now moving from hosting provider and wonder if I should port the existing certificates to the new server or just issue a new one + revoke the old one.

  • Is it good practice to just change the server mantaining the certificate? If so, what is the best way to do it.

Thanks for your time.


#2

There is no need to revoke the cert. That is only needed if your key is compromised. You can just delete it.

BUT

Personally, I would port the existing certificate over then try to renew. if that fails, issue a new one. That will minimize your downtime.


#3

So I just place them over etc/letsencrypt/archive? Do I need to create symlinks?


#4

You should copy all of /etc/letsencrypt/, preserving the symlinks. Certbot won’t work right if its files get damaged. Particularly automatic renewal.

If there are multiple certificates and you don’t want to copy all of them, at least copy /etc/letsencrypt/accounts/, /etc/letsencrypt/archive/example.com/, /etc/letsencrypt/live/example.com/ and /etc/letsencrypt/renewal/example.com.conf.

Or copy everything and delete the others with “certbot delete”.

One benefit of issuing a new certificate, whether or not you also revoke the old one, is that it ensures Certbot is working. It would be unfortunate to discover something went wrong in the move only when it comes time to renew.


#5

I have done the following with success:

cd /etc
tar -cf letsencrypt.tar letsencrypt
bzip2 letsencrypt.tar

then i sftp the file onto the new server and move/expand it…

bzip2 -d letsencrypt.tar.bz2
mv letsencrypt.tar /etc
tar -xf letsencrypt.tar

after all that is done, I install/run certbot, which picks up the existing dir, then remove the tar file when it has succeeded

by default tar should preserve symbolic links.

it’s more complex if you’re trying to merge into an existing installation. but completely replacing one tends to work for me.


#7

Last post was a send missclick, sorry.

Thank you @jvanasco and @mnordhoff for your responses. I can also replicate your solution with success.

Don’t know if this is still relevant to this post, but what about backing up /etc/letsencrypt/accounts/, even if I just issue a new certificate. Are there any advantages in backing up accounts?


#8

If I recall correctly, if you don’t bring /accounts/ with you, existing renewals will break.

This is because your renewal parameters in /etc/letsencrypt/renewal/ make references to your ACME account ID.


#9

If you’re not copying any other /etc/letsencrypt/ files, you normally don’t need to copy the accounts. It’s common for people to have numerous accounts on different servers.

The main exception is if you have a rate limit exemption tied to your account. (If you did file the form and get one, you would remember.)

There’s also an account creation rate limit: if you were creating dozens of accounts all day, hit the rate limit, and can’t create any more for 3 hours, you might want to copy one.


#10

Yep. You can just find/replace the account string into a new account though.

A bonus for copying the accounts is that you don’t have to agree to a TOS when the client authenticates to the ACME server. You also need them to revoke certificates.


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.