Essential configuration files / blueprint for automated deployment

Hello together,

we are using certbot-auto with webroot on ubuntu. I know it sounds like this have been asked before, but the information I found in this forum was more like "just copy etc/letsencrypt to the new server and there you go".

This makes often no sense, e.g. because there's no need to copy old certs to a new server. We have 6-7 domains covered by letsencrypt over years, this makes hundreds of unnecessary files.

So, but which are the really necessary and essential configuration and seed folders/files need to be copied?

Imagine, I'm interested to have an essential blueprint for multiple domains of /etc/letsencrypt (e.g. for ansible), even with the last but possibly now expired certificates, shouldn't matter, which I'm able to deploy to the new server and kickstart the process with "certbot-auto" to get the new certificates.

Cheers Greg

"certbot-auto" is deprecated; So, you should look to replace that with an updated client.
IMHO, the amount of effort needed to filter out only the files in use far exceeds the benefit of the reduced space.

Q #1: Are you copying letsencrypt from one system to another? (if so, why?)
Q #2: Can you just start a clean install on the new system and get whatever certs are needed there?

1 Like

"certbot-auto" is deprecated; So, you should look to replace that with an updated client.

Which one for ubunt/apache combination do you mind best?

the amount of effort needed to filter out only the files in use far exceeds the benefit of the reduced space

Yes, I didn't plan to spend hours. I expected an answer like "Take this directory and this both also, and the last key, cert and chain of each domain, and it'll work." Therefore, I asked before spending hours. And it's not about space. It's about to have a reduced blueprint which can be rapidly deployed not only this time to one server, but also to multiple new servers again next time. E.g. next year when ubuntu 22.04 LTS arrives.

Q #1: Are you copying letsencrypt from one system to another? (if so, why?)

yes, because of preparing a server migration?!?! 1 hot and 2 standby server (which will never be available under their domains as long there's no fail-over) need to be automatically preconfigured with ansible.

Q #2: Can you just start a clean install on the new system and get whatever certs are needed there?

It's an automated deployment with ansible. Point me to a working ansible role to install certbot which will not fail before the new server is reachable under his final domains. Point me to it, and I will use it.

The recommended client is certbot (installed via snapd).
See: Certbot - Snap Apache (eff.org)

Automation is definitely the desired path and one without any downtime during a fail-over is preferable.
To that end, the greatest factor is using an authentication method that allows for the obtaining of certs before the server is at the expected IP address.
This can be accomplished via DNS-01 authentication.
[this requires a DSP and ACME client that support DNS updates via API]
If you can't use DNS-01 authentication, then you are limited to obtaining the cert beforehand and I do understand your request to simplify the copy and reuse of the existing cert(s) to the new system as much as possible.
I would argue that your best advance would be to find a DSP and ACME client that supports DNS updates via API.
[everything other solution pales in comparison]

For a solution that just works as soon as you spin up a new server instance I would store your certificate renewals in key vault (such as Hashicorp Vault) and pull the latest cert on startup and on a schedule.

I don't have any pre-built scripts for that but https://certifytheweb.com (for instance) will take care of renewing and publishing to key vaults (see Tasks) or performing custom scripting, or copying to network paths on renewal etc. You just need your server configuration to look to the correct place on startup for the latest cert files. This has the benefit of being able to spin up as many instances as you like and they don't all compete for a new certificate (and so there are no rate limit issues).

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.