How to transfer Let's Encrypt certificate to another system (CWP)?

Is there any way to transfer the existing SSL certificate from the Certbot tool to another system that uses Let's Encrypt?

I'm currently in the process of switching hosting providers, but the new server uses the CWP on CentOS which includes the "SSL Certificates" module with the "AutoSSL" setting to generate Let's Encrypt certificate, so technically, I can't just transfer the "letsencrypt" directory with the keys because it's a different application. So my question, is there any way to transfer the certificate to the new server?

Also, if the site already has a Let's Encrypt certificate, after changing servers, can the new server with the same domain request another certificate from Let's Encrypt?

I found on CWP that the Module SSL Certificate has a "Manual Install" option, can just open the keys, copy, and paste the keys in the interface?

If so, how do I enter this information?

The "Manual Install" section has three sections, including "Certificate," "Private key," and "Certificate Authority."

Now on the old server, I have the letsencrypt and live directories which include the cert.pem, chain.pem, fullchain.pem, and privkey.pem. Knowing these files, what should I put for "Certificate," "Private key," and "Certificate Authority"?

First, I wouldn't worry about copying the cert from your old system. Just start getting one on your new system and that's it.

If you insist on copying to the manual screen I am pretty sure you copy/paste:
cert.pem to the Certificate box
privkey.pem to the Private Key box
chain.pem to the Certificate Authority box


Yes, anyone who (or any device which) can satisfy the challenges to prove control of the domain name can request a certificate, as long as that request is within the rate limits.

The old certificate does not prevent the issuance of a new one and neither one's existence contradicts or invalidates the other.


Based on the details, I suspect there is a little more going on here than what was initially shared. An identical situation came up in the Cloudflare Community, which adds a slight complication to the move. Cloudflare expects the new server to have a valid certificate and will fail to connect without one. That makes for a difficult HTTP-01 challenge.

If this is the same instance, copying the certificate to the new host was successful.


If Cloudflare is involved here, wouldn't Flex mode in Cloudflare be enough to get the initial cert with HTTP Challenge and then switch to a more secure mode after getting one? Or even disable the DNS Proxy temporarily?

We see similar questions to this pretty regularly though that have nothing to do with Cloudflare. I fully agree Cloudflare (or pretty much any CDN) would complicate such a transition but many people are just tentative about using certs.

For sure we have to make bigger guesses when the posters don't answer the form questions.


We only mention that term over there after the words "Dont ever use" :grinning:

Possibly, but some people have concerns about their origin IP being logged. Others may limit HTTP access to only Cloudflare IPs. I was actually impressed with the idea to install the existing LE cert on the new server.


Pretty sure there's a cloudflare option to use an invalid origin certificate (or just use http), then once you have certs working again you can switch back to the strict mode.


There are.



Flexible is actively discouraged due to the insecure connection to the origin that too many are willing to allow due to ignorance or complacency.


But "flexible" is alphabetically first... so, it must be the best choice - LOL

                     ^ ^ s a r c a s m   d e t e c t e d ^ ^ 
  • flexible
  • full
  • off

Thanks. This situation is very clearly a migration scenario and nobody (especially me) is suggesting that relaxed settings should be used permanently.

@mhweb you could consider getting a free Origin certificate from Cloudflare: Origin CA certificates · Cloudflare SSL/TLS docs this will give you something to use temporarily so you can keep using TLS end-to-end. Any certificate (trusted or not, valid or not) will enable encryption between the two services.


I understand that none of the regular participants in this Community would suggest using insecure settings. I was just offering some insight into why the there is a vocal effort in the Cloudflare Community to discourage the use of the setting. Too many people are running unencrypted traffic between Cloudflare and their origin server because they either don't understand how Flexible works, or even worse, they don't care.

This migration was already successfully completed, so the Cloudflare Origin CA certificate route is moot at this point, though it would work with proxied traffic.


Ich hatte auch erst vor wenigen Tagen einen Serverumzug durchgeführt.

Beim ursprünglichen Server war ebenfalls ein LetsEncrypt Zertifikat ausgestellt gewesen. Beim neuen Server wurde ein neues Letsencrypt Zertifikat mit den Standard-Angaben problemlos ausgestellt, obwohl das alte Zertifikat noch nicht abgelaufen ist.

Es mussten keine Zertifikats-Dateien erst vom alten Server auf den neuen Server kopiert werden.

Bei der Verwendung von Cloudflare ist es komplizierter.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.