How to transfer only one domain's SSL certs to a different server?

I want to migrate only one domain to a different server. What files should I copy over?

Is it enough to transfer just the folder “/etc/letsencrypt/live/example.com”?

I ask because I worry that transferring just this folder, and not some associated metadata someplace else, could confuse LetsEncrypt and certbot in some ways.

/etc/letsencrypt/live is useless on it’s own as it only contains symlinks. For a successful migration you’ll need to copy the relevant subdirectories of live/ and archive/ along with the relevant .conf file in renewal/

2 Likes

There are several ways to do this, depending on your exact requirements.

The easiest is simply copy the certificate, private key and CA cert over to the new server, then install a new copy of certbot ( or whatever client you use) in generate a new certificate when it’s time for renewal.

If the certificate covers multiple domains, it becomes a little more complex, but please describe if you want it to be a separate cert or whatever, and we can provide more info.

1 Like

Thanks. Can I safely ignore the accounts/, csr/, and keys/ directories?

Well I have a certificate example.com that covers both example.com and www.example.com. Those www and non-www are the only "multi-domain" certificates I have.

The reason I wanna copy the files for that domain to the new server is because it takes a while for the A records to propagate to the new server and until they do so, letsencrypt can't generate a new cert on the new server. (Plus, I may have created the older cert less than a week ago.)

I’d say the easiest then is just fo copy the cert, private key and CA cert over ). That will get you going, and everything working as soon as the DNS propagates and people hit the site.

You can install a new copy of certbot and generate a new certificate in 2 months time when everything has settled down

(I was only asking about multiple domains in case the you had some domains in the cert on the old server, and some on the new ).

1 Like

Let’s Encrypt doesn’t rely on DNS caches as a client would, so it will be willing to issue to the new web server as soon as the authoritative DNS servers for that name begin giving the new answer. Still, the plan to just copy across certificates and accompanying keys makes sense.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.