Import existing certificate to letsencrypt

Hi all,

I have generated a certificate by certboot which works without any problem. I have stored all generated files under the directories “conffigs” and “logs” so all generated data and pem files exist. The problem is that I have recently re-installed OS on my machine so all info under /etc/letsencrypt are gone and now certbot cannot find any certificate on my machine if I intend to renew my certificate for instance. Is there any way to import my certificate into letsencrypt so all data will be created automatically under /etc/letsencrypt?

I read some threads about adding all info manually with symbolic links, etc. which I am not really interested in so I would appreciate if you let me know if there is any way to import the certificate using a proper method.

Thanks in advance,

Danesh

You do have backups, right?

I’m not quite sure I understand this correctly. What directories “configs” and “logs” do you mean? Also, the certbot PEM files are under /etc/letsencrypt/archive/, not in some directory “configs” or logs"?

Where do you want to import the certificates from? Certificates are publically known (in Certificate Transparancy Logs for example), but you also need the private key… Which are private obviously. So you’ll need to import that private key from your own backup.

Perhaps after answering the above questions it might be easy to “import” the files, but most likely I think this thread will end with the advice to just install certbot on your re-installed OS and generate a whole new (set of) certificate(s).

Thanks for your answer. Actually I have all generated files by letsencrypt including public and private keys, certificate and full chain PEM files. Would that be enough to re-construct the structure under /etc/letsencrypt/?

Regards,

Danesh

I’m not sure I follow. You say you have every file backed up. In theory yes, that should be enough to “re-construct” /etc/letsencrypt/. But I fail to understand why that is a problem? What specific issue are you running into?

Well this is the directory that I have as backup:

.
├── accounts
│ └── acme-v02.api.letsencrypt.org
│ └── directory
│ └── bf8beee8d2a1ff97b4b11bc659651df5
│ ├── meta.json
│ ├── private_key.json
│ └── regr.json
├── archive
│ └── mydomain.com
│ ├── cert1.pem
│ ├── chain1.pem
│ ├── fullchain1.pem
│ └── privkey1.pem
├── csr
│ └── 0000_csr-certbot.pem
├── keys
│ └── 0000_key-certbot.pem
├── live
│ ├── hellozink.com
│ │ ├── cert.pem -> …/…/archive/mydomain.com/cert1.pem
│ │ ├── chain.pem -> …/…/archive/mydomain.com/chain1.pem
│ │ ├── fullchain.pem -> …/…/archive/mydomain.com/fullchain1.pem
│ │ ├── privkey.pem -> …/…/archive/mydomain.com/privkey1.pem
│ │ └── README
│ └── README
├── renewal
│ └── mydomain.com.conf
└── renewal-hooks
├── deploy
├── post
└── pre

But I have all these data as backup in my home directory and would like to create correct structure out of it in /etc/letsencrypt/ so I would be able to renew my certificate using certbot because I guess certbot will automatically search for certificates in /etc/letsencrypt.

Thanks,

Danesh

That looks like the contents of /etc/letsencrypt to me, with the correct structure. Even the symbolic links are kept as symbolic links.

I think you should be able to just copy those items over as root:

mkdir /etc/letsencrypt
cp -R /home/path/to/those/files/* /etc/letsencrypt/

I’m not sure if the correct permissions are copied correctly that way. If you do a ls -l /etc/letsencrypt/ the permissions should look like this:

drwx------  6 root root   4096 May 20  2018 accounts
drwx------ 38 root root   4096 Jan  6 19:55 archive
drwxr-xr-x  2 root root  4096 Feb 25  2016 certs
-rw-r--r--  1 root root   1085 May 20  2018 cli.ini
drwxr-xr-x  2 root root  20480 Jan  6 19:52 csr
drwx------  2 root root  20480 Jan  6 19:52 keys
drwx------ 37 root root   4096 Jan  6 19:55 live
-rw-r--r--  1 root root   1619 Jan 14  2018 options-ssl-apache.conf
drwxr-xr-x  3 root root   4096 Jan  6 19:55 renewal
drwxr-xr-x  5 root root   4096 Jan 14  2018 renewal-hooks

Also:

  • for the files in accounts:
    -rw-r--r-- 1 root root   66 May 20  2018 meta.json
    -r-------- 1 root root 3169 May 20  2018 private_key.json
    -rw-r--r-- 1 root root  961 May 20  2018 regr.json
    
  • everything in archive seems to be -rw-r--r-- here… Not sure if that’s correct, private key having that permission although I can remember a few threads about it saying the permissions on the directory are already strict so it’s fine
  • everything in certs is -rw-r--r--
  • everything in csr is -rw-r--r--
  • everything in keys has permission -rw-------
  • everything in live are symbolic links, so no permissions to set there
  • everything in renewal has -rw-r--r--
  • I don’t have any hooks, but shouldn’t be to hard to figure that out :wink:
3 Likes

Thanks. It solved my problem.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.