Did Dumb Thing - Moved Servers and Forgot Backup and Can't Renew


#1

Hi Folks - I moved servers - copying the Apache configuration and /etc/letsencrypt to the new server. Everything went well but now when I have to renew I cannot. I get all types of errors.

I think that the easiest way would be to remove the Let’s Encrypt certificates and re-enroll.

Is there a documented process for this?

Thanks!

(Yes, I KNOW that I did a really dumb thing forgetting to copy my backups as well :cry:)


#2

Part of the issue is that the symbolic links probably weren’t preserved. That’ll cause some fun.

Assuming you don’t need the existing certificates, just rename /etc/letsencrypt and run certbot as if you’re requesting a certificate for the first time. If everything works properly, you can then delete the renamed directory once you’re sure you won’t need the contents.


#3

Nope - doesn’t work. If you do that you will get errors on your apache config file being “cert.pem’ does not exist or is empty”

Looking at totally reversing SSL now to start fresh…


#4

I have it working again. Here is what I had to do - much of it is similar to getting the “starter” Apache 2 SSL set up

  • You need to create the self-signed certificates first (e.g. “sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt”)
  • Once that is done, you need to create the SSL vhost files (assuming you are using virtual hosts - I am) using the self-signed certificates. You can (I did, at least) use the same self-signed certificate for each vhost. The important thing to note here is that letsencrypt must have apache running ssl already. It will not work if apache is not up and/or there are no ssl sites. (This drove me mad for a couple of hours!)
  • Once this is done you can back up your /etc/letsencrypt directory (you could probably blow it away but you are probably paranoid now :slight_smile: )
  • Restart apache (e.g., apache2ctl restart - by this time I will terminate with extreme prejustice :imp: )
  • Check to see if your sites are up and running. Your web browser probably will give you an insecure warning. That is okay - we will be putting real certificates in place; you just need to ensure that apache is working with ssl.
  • Run letsencrypt --apache ya-da, ya-da, ya-da
  • You might have to restart apache manually after it finishes but that’s okay

Now, don’t forget to:

  1. Back up you letsencrypt directory (I am really paranoid now :confounded:)
  2. Back up your apache config files (Yes, I am really paranoid now)

#5

Oh, yeah. I forgot the Apache auto-config plugin was a thing. That would explain the additional issues you encountered.

(Personally, I don’t trust management of that config to an automatic tool and use the certonly webroot method.)


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.