How to replace an existing server with the same SSL certificate?

I’m sure this must be a common problem.

I have a server that is already running with a functioning certbot, that validates the certificates every 90 days.

I would like to replace the server with minimum downtime. My plan is to create a new like-for-like server.

I would then copy all the certificates from the existing server to the new server like this:

mkdir -p /etc/letsencrypt/archive/$VPNHOST/
  mkdir -p /etc/letsencrypt/live/$VPNHOST/
  cp cert1.pem /etc/letsencrypt/archive/$VPNHOST/cert1.pem
  cp chain1.pem /etc/letsencrypt/archive/$VPNHOST/chain1.pem
  cp fullchain1.pem /etc/letsencrypt/archive/$VPNHOST/fullchain1.pem
  cp privkey1.pem /etc/letsencrypt/archive/$VPNHOST/privkey1.pem
  ln -f -s /etc/letsencrypt/archive/$VPNHOST/cert1.pem /etc/letsencrypt/live/$VPNHOST/cert.pem
  ln -f -s /etc/letsencrypt/archive/$VPNHOST/chain1.pem /etc/letsencrypt/live/$VPNHOST/chain.pem
  ln -f -s /etc/letsencrypt/archive/$VPNHOST/fullchain1.pem /etc/letsencrypt/live/$VPNHOST/fullchain.pem
  ln -f -s /etc/letsencrypt/archive/$VPNHOST/privkey1.pem /etc/letsencrypt/live/$VPNHOST/privkey.pem

Then I would change the DNS to point to the new IP address. After some time when the change is propagated, I can connect to the new server via the same domain, the existing SSL certificates are valid.

But when I attempt to activate the non-interactive mode of certbot to take over from here again:

certbot certonly --non-interactive --agree-tos --standalone --email support@mydomain.com --preferred-challenges http -d s2.mydomain.net

It succeeds, however it creates a new folder s2.mydomain.net-0001 . It’s messy and now my own apps are still pointing to the old directory s2.mydomain.net which will expire in 90 days.

What is the best approach to this problem, please? This should be a common issue (I hope).

that’s because your domain list has changed. (removing some)

just run certbot renew --dry-run instead of the entire certbot certonly ...... business

Hi @houmie

simple answer: Use --cert-name to overwrite an existing certificate.

Hello @JuergenAuer

Do you mean I should just append --cert-name s2.mydomain.net to the command I had posted earlier?

I just tried it and I got s2.mydomain.net-0002. Hence it didn’t work.

Thank you,

@9peppe nothing really happens when I do that. This is a new server where Certbot was never run. Just by copying the certs in that folder can’t surely be enough. I still should have to run the whole command to get it kicked off on the new server, right?


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

No renewals were attempted.
No hooks were run.
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


I guess your way of copying /etc/letsencrypt over didn’t work too well.

Maybe use rsync or scp, next time.

You are not providing a solution. Then show me what needs to be done.

open a shell.

type man tar then hit return.

discover how to backup a directory preserving permission and symlinks.

create the archive on source machine, transfer on destination machine and untar. (pay attention to how tar handles relative/absolute paths)

Are you suggesting to copy the entire /etc/letsencrypt over to the new server?
I have already shown you in my first post that I have copied only the certificates and nothing else. A shame there is no cleaner way. I will try this then and come back.

yeah, you also need /etc/letsencrypt/renewal and the rest.

@9peppe Excellent. I got it working.

tar -zcvf ~/lets.tar.gz /etc/letsencrypt
copy over the file
cd /
tar -zxvf lets.tar.gz 

As you suggested it keeps the path in place.

Dry-run seems also a success. I have one last question. The latest certbot (certbot 0.36.0) doesn’t put itself into crontab anymore. How does it know when to rerun the renewal? Can I see somewhere on which day it will try to renew again?

Many Thanks,

That’s not even close to being the latest. :smiley:

Try systemctl list-timers certbot.timer

That worked. Thank you.

I’m using Ubuntu 19.10, which is at the time of writing this the latest available Ubuntu, so I thought it should have fairly the latest version as of October 2019. :slight_smile:

latest… according to ubuntu repositories. if it works, it doesn’t matter.