Copy /etc/letsencrypt or regenerate to move?

I have two servers running Ubuntu 18.04 on which certbot was used to generate certs using the apache plugin. One has two sites, the other about 50. I now need to move those 50 to the other machine (and switch their DNS records accordingly).

Most of the advice I can find assumes I have no existing certs on the target machine. But I could perhaps perform some kind of manual weaving in of certs, accounts and renewal confs like this. But I don't actually understand the advice given.

Can I instead just re-create the certs on the target machine from scratch once the DNS has switched over (so certbot --apache -d www.domain.com)? I don't mind a bit of down time.

Thanks for any advice and apologies if I missed some obvious FAQ entry that covers what seems like a fairly common situation.

1 Like

Hi @gilgongo

you can. But I wouldn't do that.

If there are some problems with some domains, you may have a much longer downtime. If you try it too much times, you may hit the 300 orders per 3 hours limit.

  • Renew all certificates on the old server (or use renew, so you have max. 30 days per domain).
  • Copy the certificates
  • May be add the required lines manual in your Apache files

Ok, it's hard: What's better: Creating / editing 50 files or start new - and having a downtime.

Or don't switch with all domains complete, switch only the dns of one domain. Step by step.

Hello @gilgongo,

Basically you should copy archive, live, renewal and maybe renewal-hooks directories from your old server and merge them in new server. Keep in mind files in live dir are symlinks.

Once done you should modify the account parameter in the old renewal conf files to use the account being used in your new server.

Example:

0.- Backup /etc/letsencrypt/ dir in both servers... just in case, you know :wink:

In old server:
tar pzcvf /root/backup_etc_letsencrypt_old_server.tar.gz /etc/letsencrypt/

In new server:
tar pzcvf /root/backup_etc_letsencrypt_new_server.tar.gz /etc/letsencrypt/

1.- Take note of the account used to issue the certificates in old and new server.

Method 1
grep account /etc/letsencrypt/renewal/*

Method 2
ls /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/

I'm assuming your are using just 1 productive account.

So, lets say the account in old server is abcdef0123456789abcdef0123456789 and the account in new server is 0123456789abcdef0123456789abcdef

2.- In old server tar the directories that you will move:
tar pzcvf /root/moving_le_old_server.tar.gz /etc/letsencrypt/{archive,live,renewal}

If you are using some hooks for renewals tar also renewal-hooks dir:
tar pzcvf /root/moving_le_old_server.tar.gz /etc/letsencrypt/{archive,live,renewal,renewal-hooks}

3.- Send the file /root/moving_le_old_server.tar.gz to the new server.

4.- In the new server untar the file.
tar pzxvf /root/moving_le_old_server.tar.gz -C /

5.- Change the account in the renewal conf files copied from old server.
sed -i 's/abcdef0123456789abcdef0123456789/0123456789abcdef0123456789abcdef/' /etc/letsencrypt/renewal/*

And that should be all.

Use certbot certificates to see that all looks good and certbot renew --dry-run to check that the renew process won't have issues in a future.

Note 1: I assume you are using the same certbot versions on both servers or at least pretty close versions.

Note 2: As @JuergenAuer advised, double check all your certs won't expire in a few days and renew them if needed before the move (don't force the renewal or you could hit some rate limits).

Hope this helps.

Cheers,
sahsanu

1 Like

OK good - I'll try the directory copy-over then. The target server is using certbot 0.27.0 while the one I'm migrating from is 0.31.0 but I assume that's OK.

Oh BTW do I need to do anything on the old machine once the sites have moved? Should I delete sites from renewal?

2 Likes

Regarding version I think there should be no issues with the renewal files but don't know if there were significant changes between those 2 versions.

Once moved yes, you should delete the certs in old server certbot delete

2 Likes

Does 0.27.0 support ACMEv2?

According to the docs it should :slight_smile:

2 Likes

Yes, ACMEv2 support was available in certbot 0.22.0 :wink:

1 Like