How to replace an existing server with the same SSL certificate?

houmie · March 18, 2020, 7:32pm

I’m sure this must be a common problem.

I have a server that is already running with a functioning certbot, that validates the certificates every 90 days.

I would like to replace the server with minimum downtime. My plan is to create a new like-for-like server.

I would then copy all the certificates from the existing server to the new server like this:

mkdir -p /etc/letsencrypt/archive/$VPNHOST/
  mkdir -p /etc/letsencrypt/live/$VPNHOST/
  cp cert1.pem /etc/letsencrypt/archive/$VPNHOST/cert1.pem
  cp chain1.pem /etc/letsencrypt/archive/$VPNHOST/chain1.pem
  cp fullchain1.pem /etc/letsencrypt/archive/$VPNHOST/fullchain1.pem
  cp privkey1.pem /etc/letsencrypt/archive/$VPNHOST/privkey1.pem
  ln -f -s /etc/letsencrypt/archive/$VPNHOST/cert1.pem /etc/letsencrypt/live/$VPNHOST/cert.pem
  ln -f -s /etc/letsencrypt/archive/$VPNHOST/chain1.pem /etc/letsencrypt/live/$VPNHOST/chain.pem
  ln -f -s /etc/letsencrypt/archive/$VPNHOST/fullchain1.pem /etc/letsencrypt/live/$VPNHOST/fullchain.pem
  ln -f -s /etc/letsencrypt/archive/$VPNHOST/privkey1.pem /etc/letsencrypt/live/$VPNHOST/privkey.pem

Then I would change the DNS to point to the new IP address. After some time when the change is propagated, I can connect to the new server via the same domain, the existing SSL certificates are valid.

But when I attempt to activate the non-interactive mode of certbot to take over from here again:

certbot certonly --non-interactive --agree-tos --standalone --email support@mydomain.com --preferred-challenges http -d s2.mydomain.net

It succeeds, however it creates a new folder s2.mydomain.net-0001 . It’s messy and now my own apps are still pointing to the old directory s2.mydomain.net which will expire in 90 days.

What is the best approach to this problem, please? This should be a common issue (I hope).

9peppe · March 18, 2020, 8:03pm

that's because your domain list has changed. (removing some)

just run certbot renew --dry-run instead of the entire certbot certonly ...... business

JuergenAuer · March 18, 2020, 8:33pm

Hi @houmie

simple answer: Use --cert-name to overwrite an existing certificate.

https://certbot.eff.org/docs/using.html

houmie · March 18, 2020, 8:53pm

Hello @JuergenAuer

Do you mean I should just append --cert-name s2.mydomain.net to the command I had posted earlier?

I just tried it and I got s2.mydomain.net-0002. Hence it didn’t work.

Thank you,

houmie · March 18, 2020, 9:42pm

@9peppe nothing really happens when I do that. This is a new server where Certbot was never run. Just by copying the certs in that folder can't surely be enough. I still should have to run the whole command to get it kicked off on the new server, right?

** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

No renewals were attempted.
No hooks were run.
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

9peppe · March 18, 2020, 9:43pm

I guess your way of copying /etc/letsencrypt over didn’t work too well.

Maybe use rsync or scp, next time.

houmie · March 18, 2020, 9:49pm

You are not providing a solution. Then show me what needs to be done.

9peppe · March 18, 2020, 9:52pm

open a shell.

type man tar then hit return.

discover how to backup a directory preserving permission and symlinks.

create the archive on source machine, transfer on destination machine and untar. (pay attention to how tar handles relative/absolute paths)

houmie · March 18, 2020, 10:00pm

Are you suggesting to copy the entire /etc/letsencrypt over to the new server?
I have already shown you in my first post that I have copied only the certificates and nothing else. A shame there is no cleaner way. I will try this then and come back.

9peppe · March 18, 2020, 10:01pm

yeah, you also need /etc/letsencrypt/renewal and the rest.

houmie · March 18, 2020, 10:51pm

@9peppe Excellent. I got it working.

tar -zcvf ~/lets.tar.gz /etc/letsencrypt
copy over the file
cd /
tar -zxvf lets.tar.gz

As you suggested it keeps the path in place.

Dry-run seems also a success. I have one last question. The latest certbot (certbot 0.36.0) doesn’t put itself into crontab anymore. How does it know when to rerun the renewal? Can I see somewhere on which day it will try to renew again?

Many Thanks,

9peppe · March 18, 2020, 10:54pm

That's not even close to being the latest.

Try systemctl list-timers certbot.timer

houmie · March 18, 2020, 11:09pm

That worked. Thank you.

I’m using Ubuntu 19.10, which is at the time of writing this the latest available Ubuntu, so I thought it should have fairly the latest version as of October 2019.

9peppe · March 18, 2020, 11:11pm

latest… according to ubuntu repositories. if it works, it doesn’t matter.

system · April 17, 2020, 11:11pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.