How to install letsencrypt on a new server with existing certificate

Please fill out the fields below so we can help you better.

My domain is:

I ran this command:sudo letsencrypt certonly -a webroot --webroot-path=/var/www/html -d -d

It produced this output: Created new certificates, but I want to use my old certificates, I saved.

My operating system is (include version):node.js 6.9.4

My web server is (include version):Ubuntu 16.04

My hosting provider, if applicable, is:DigitalOceans

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

I am rebuilding an Ubuntu server but don’t want to create new certificates, but want to use the old ones I saved (privkey.pem, cert.pem, chain.pem, fullchain.pem). What should the letsencrypt command look like, so it doesn’t create new keys. The command I am using is: sudo letsencrypt certonly -a webroot --webroot-path=/var/www/html -d -d

I’m a little confused as to why you want to install / run letsencrypt at all if you are using your old certs. The easiest thing to do is not run any command, then your old cert will not be changed.

Is it that you want to use the old certs until renewal time ? and then use new certs ?

I’m rebuilding my server from scratch. I’m doing this 4 or 5 times a day, to test out my installation process. I ran into the problem where I used up my 5 certificates. I started over with a new domain name, and saved the 4 .pem files during the first install. Now I am on my second install and I’m trying to understand how I apply the old certificate to the new install. I’m assuming I still have to instill some letsencrypt s/w that will operate on the old certificate .pem files. I can copy the 4 .pem files to where they were during the first install without installing any letsencrypt. Is this what I should do?

1 Like

If all you want is to use the existing certificate and not issue a new one, you just need the four pem files. You only need to run the certbot (formerly letsencrypt) application if you need to issue new or renew existing.

motoko & serverco,
I completed my installation as you suggested, and came up running perfectly!!!
Thanks much for understanding my problem and your explanations.

But please note that if you intend to use the server over the long term, using the existing PEM files without recreating the entire structure of files under /etc/letsencrypt will prevent Certbot from knowing how to renew the certificate for you when it expires (certbot renew will ignore it and not attempt to renew it).

The only thing I did was make the directory: /etc/letsencrypt/live/
Then copy the 4 .pem files to it.
Relative to the renewal, here is my script:
sudo letsencrypt renew
— Run the renewal command every week
sudo crontab -e
;-- Add the following —
30 2 * * 1 /usr/bin/letsencrypt renew >> /var/log/le-renew.log
35 2 * * 1 /bin/systemctl reload nginx
-----------Save & Exit --------------
Let me know if you think the renewal will fail without using the original letsencrypt command.
If this won’t renewal, then I am back at the beginning of my problem.
I’ll just use the saved certificate during my testing, and the new certificate in production.
Thanks for letting me know,

It will definitely fail this way; it needs the renewal configuration file in /etc/letsencrypt/renewal and also /etc/letsencrypt/archive/, which must contain the 4 files with appropriate names, plus appropriate symbolic link structure from live into archive with appropriate names.

Thanks for your explanation. I’ll create a new certificate when building production sites, but will re-use the certificate for development sites.
Thanks Much,

So I’m guessing this is the question. If one tears down and re-instantiate a box with a web site often, and as part of the process installs exiting letsencrypt certs, what is the recommended way to make sure that letsencrypt renew will renew them?

Rather than simply backing up the four .pem files, back up and restore the entire /etc/letsencrypt/ directory. That will make sure the symlink structure and .conf file are preserved.


(using a method that preserves symlink structure, not just file contents)

@schoen Do csr and keys sub-directories have to be backed up as well? If yes, why?

Currently those are just for reference purposes and are not used for version control, so it should be safe to delete them or omit backing them up. You will need to back up archive, live, and renewal, and you’ll probably encounter other kinds of problems unless you also back up accounts (because renewal files can reference a particular account that should be re-used when renewing).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.