I’m sure this must be a common problem.
I have a server that is already running with a functioning certbot, that validates the certificates every 90 days.
I would like to replace the server with minimum downtime. My plan is to create a new like-for-like server.
I would then copy all the certificates from the existing server to the new server like this:
mkdir -p /etc/letsencrypt/archive/$VPNHOST/ mkdir -p /etc/letsencrypt/live/$VPNHOST/ cp cert1.pem /etc/letsencrypt/archive/$VPNHOST/cert1.pem cp chain1.pem /etc/letsencrypt/archive/$VPNHOST/chain1.pem cp fullchain1.pem /etc/letsencrypt/archive/$VPNHOST/fullchain1.pem cp privkey1.pem /etc/letsencrypt/archive/$VPNHOST/privkey1.pem ln -f -s /etc/letsencrypt/archive/$VPNHOST/cert1.pem /etc/letsencrypt/live/$VPNHOST/cert.pem ln -f -s /etc/letsencrypt/archive/$VPNHOST/chain1.pem /etc/letsencrypt/live/$VPNHOST/chain.pem ln -f -s /etc/letsencrypt/archive/$VPNHOST/fullchain1.pem /etc/letsencrypt/live/$VPNHOST/fullchain.pem ln -f -s /etc/letsencrypt/archive/$VPNHOST/privkey1.pem /etc/letsencrypt/live/$VPNHOST/privkey.pem
Then I would change the DNS to point to the new IP address. After some time when the change is propagated, I can connect to the new server via the same domain, the existing SSL certificates are valid.
But when I attempt to activate the non-interactive mode of certbot to take over from here again:
certbot certonly --non-interactive --agree-tos --standalone --email email@example.com --preferred-challenges http -d s2.mydomain.net
It succeeds, however it creates a new folder
s2.mydomain.net-0001 . It’s messy and now my own apps are still pointing to the old directory
s2.mydomain.net which will expire in 90 days.
What is the best approach to this problem, please? This should be a common issue (I hope).