Copy certificate files to use on redundancy server


I have a linux server hosting N websites. I also have another server that has the exact N websites configurations on a standby. (The website settings are automatically downloaded from 3rd party cloud storage and then configured).

Generating the SSL on the first server is not an issue. It generates them perfectly and saves the certificate files under /etc/letsencrypt/live/ /archive/ /renewal/

However, I want to be able to duplicate the files on the other server (upload them to the cloud, then for the redundancy server to download them). Once the primary server is down the redundancy will take over its IP address and then the websites will continue to be served normally.

I’m aware of the option to generate new certificates but not happy with it as sometimes the servers may go down or be deleted several times a day. Thus, I rather copy the certificates to a 3rd party storage once and to make them reusable on other servers.

  1. What files do I need to backup? is it enough to save the files under /live/ /archive/ /renewal/ for each domain or there are other files that are needed?
  2. When they’re downloaded to the redundancy servers and saved in the same structure under /etc/letsencrypt/, what are they ready to be used?

If it’s your intention for the standby systems to take over completely (e.g the failed machines might stay down for weeks or even be scrapped rather than fixed soon after the incident) then your approach makes sense. Definitely something you’ll want to try once at least before you ever ever need it for real though. Make sure to duplicate any cronjob or similar used to ensure renewals take place, though if the standby servers are “warm” and not just switched off you’ll need to ensure they don’t try to actually run such jobs until they’re in use.

Most of the files involved are a matter of public record, or can be trivially replaced. The privkey.pem files though are your private key. Nobody else knows this, including Let’s Encrypt - if anybody has a copy they can impersonate you or snoop traffic (in Perfect Forward Secrecy modes this needs an active attack during connection setup, without PFS it can take place at any time including decrypting recorded traffic years later). So you must (and the Let’s Encrypt T&C’s oblige you to do this) take proper care of this file, if it’s in the cloud it should be suitably protected.

@NizarBlond, one question is whether you want the standby server to work in terms of serving the sites, or also to be able to start running certbot renew for itself.

In the first case, you technically only need the contents of live and archive in order to be able to use the certificates. (In fact, the actual certificate files are only in archive, but we don’t usually like to remind people of that fact because renewal won’t have the intended effect if a web server configuration is pointed at archive instead of at live.)

In the second case, there is also stuff in /etc/letsencrypt/accounts that you’ll need as well in order to be able to perform the renewals (you have an account with the CA which is identified with its own private key, and the renewal configurations in /etc/letsencrypt/renewal make reference to this account). Also, you should be sure that the copying method preserves symlink structure rather than copying symlinks as files, because the symlink structure is also used during the renewal process. Given those things, you should also be able to run certbot renew successfully on the standby server.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.