How I restore a Let’s Encrypt configuration?

Good day.

I did a whole backup to my /etc/letsencrypt/ directory and pretend to restore that configuration.

My domain is: (Inaccessible from outside)

What are the steps I need to follow in order to restore my Let’s Encrypt configuration?

My operating system is: Ubuntu 16.04.2 LTS

My web server is: Nginx 1.10.3

I can login to a root shell on my machine: yes

Thanks in advance.

Warm regards.

Hi @alainalemany,

Your question in your message (“What are the steps I need to follow in order to restore my Let’s Encrypt configuration?”) is different from the topic question (“How to reissue existent certificate?”).

If you have a complete backup of /etc/letsencrypt (including symbolic links!), you should be able to restore that backup into /etc/letsencrypt on another system. This does not involve reissuing any certificates, simply copying them.

If you want to reissue an existing certificate, you can re-run the same Certbot command that was used to obtain it. If the certificate is already installed in /etc/letsencrypt, Certbot may ask you whether you really want to renew it if it’s still more than 30 days away from expiring. You can answer this question interactively, or from the command line (--keep-until-expiring to always say no, and --force-renewal to always say yes).

You’re right about the title. I fixed it, sorry.

So by just copy my backed up /etc/letsencrypt/ directory everything works again?


Yes, it should work fine, as long as the symbolic links are preserved. Symlinks are an important part of the structure of the /etc/letsencrypt directory.

Thanks for your quick reply @schoen. Well, I don’t know much about Let’s Encrypt directory structure. I just figured out everything was inside /etc/letsencrypt/. Now, regard those symlinks, are they inside that directory? How I know I didn’t leave anything behind to backup?

Thanks again.

You can look in /etc/letsencrypt/live/ and see if the items in it are symbolic links into ../archive. If so, it should be all right.

Inside /etc/letsencrypt/live/bigbluebutton/ I have cert.pem, chain.pem, fullchain.pem, privkey.pem, README, and they’re not symlinks. And inside /etc/letsencrypt/archive/ what I have is cert1.pem, cert2.pem, chain1.pem, chain2.pem, fullchain1.pem, fullchain2.pem, privkey1.pem, privkey2.pem.

I configured this Bigbluebutton server a year and a half ago and I honestly can’t remember what I did. That’s why I can’t really remember why there’s so much .pem files in ../archive/.

How can I know which one belongs to the ones in ../live/bigbluebutton/?

Bigbluebutton 1.1 it’s live and stable now, but demands Ubuntu 16.04. That’s why I had to reinstall the server and backed up /etc/letsencrypt/ directory.

Thanks in advance.

Oh! In this case, you must have used a backup method which doesn’t preserve symlinks.

Your current /etc/letsencrypt will confuse Certbot and not work properly for renewals.

The data in your archive contains two different versions of the certificate (reflecting one initial issuance and one subsequent issuance as a renewal). When we originally designed this, we imagined that system administrators would review the renewal events by hand to make sure they were as desired, and they could roll back to a previous version if they preferred that version. This option still exists, but it turns out that people don’t actually do this; I’ve been suggesting that maybe we should stop keeping as much archive data as we do, particularly the old private keys.

Anyway, the data in live is supposed to be symlinks pointing to the current version.

You should be able to fix this via

cd /etc/letsencrypt/live/bigbluebutton
rm cert.pem chain.pem fullchain.pem privkey.pem
ln -s ../../archive/bigbluebutton/cert2.pem cert.pem
ln -s ../../archive/bigbluebutton/chain2.pem chain.pem
ln -s ../../archive/bigbluebutton/fullchain2.pem fullchain.pem
ln -s ../../archive/bigbluebutton/privkey2.pem privkey.pem

assuming that the directories are literally called “bigbluebutton”.

To other people reading this, it’s not necessarily recommended to do this by hand and we suspect that some people whose /etc/letsencrypt got messed up may have been deleting files and then trying to recreate symlinks by hand and making them point to the wrong places. Also, perhaps the symlink structure will change at some point in the future.

Thanks again for your answer @schoen.

Well first, in Ubuntu 14.04 symlinks are shown with a turquoise color. I have no idea why in 16.04 they are shown in plain grey as every other text, so that got me confused :thinking: and told you there were no symlinks at all.

After a ls -l I was able to see where they were pointing at and then I finished configuring my Nginx, which works now like a charm.

I which I can send you a beer or a coffee man, you’ve been extremely helpful.


I’m glad it’s working!

You should eventually also try certbot renew to make sure that Certbot is able to renew your certificate (then you can set that to run regularly from cron). It only tries to renew if the certificate is less than 30 days from expiring, but you can also supply --force-renew to make it renew immediately (which should not be used from cron).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.