Did Dumb Thing - Moved Servers and Forgot Backup and Can't Renew

Hi Folks - I moved servers - copying the Apache configuration and /etc/letsencrypt to the new server. Everything went well but now when I have to renew I cannot. I get all types of errors.

I think that the easiest way would be to remove the Let’s Encrypt certificates and re-enroll.

Is there a documented process for this?

Thanks!

(Yes, I KNOW that I did a really dumb thing forgetting to copy my backups as well :cry:)

Part of the issue is that the symbolic links probably weren’t preserved. That’ll cause some fun.

Assuming you don’t need the existing certificates, just rename /etc/letsencrypt and run certbot as if you’re requesting a certificate for the first time. If everything works properly, you can then delete the renamed directory once you’re sure you won’t need the contents.

Nope - doesn’t work. If you do that you will get errors on your apache config file being “cert.pem’ does not exist or is empty”

Looking at totally reversing SSL now to start fresh…

I have it working again. Here is what I had to do - much of it is similar to getting the “starter” Apache 2 SSL set up

  • You need to create the self-signed certificates first (e.g. “sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt”)
  • Once that is done, you need to create the SSL vhost files (assuming you are using virtual hosts - I am) using the self-signed certificates. You can (I did, at least) use the same self-signed certificate for each vhost. The important thing to note here is that letsencrypt must have apache running ssl already. It will not work if apache is not up and/or there are no ssl sites. (This drove me mad for a couple of hours!)
  • Once this is done you can back up your /etc/letsencrypt directory (you could probably blow it away but you are probably paranoid now :slight_smile: )
  • Restart apache (e.g., apache2ctl restart - by this time I will terminate with extreme prejustice :imp: )
  • Check to see if your sites are up and running. Your web browser probably will give you an insecure warning. That is okay - we will be putting real certificates in place; you just need to ensure that apache is working with ssl.
  • Run letsencrypt --apache ya-da, ya-da, ya-da
  • You might have to restart apache manually after it finishes but that’s okay

Now, don’t forget to:

  1. Back up you letsencrypt directory (I am really paranoid now :confounded:)
  2. Back up your apache config files (Yes, I am really paranoid now)
1 Like

Oh, yeah. I forgot the Apache auto-config plugin was a thing. That would explain the additional issues you encountered.

(Personally, I don’t trust management of that config to an automatic tool and use the certonly webroot method.)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.