Let's Encrypt on a new server

eoin.kim · June 18, 2018, 12:50am

Hi all,

I am trying to swap my company’s Let’s Encrypt server as it is old enough for decommission. I already set up a new server with Debian Stretch with NGINX. So, installing certbot was a breeze, no problems at all. Now, I have to migrate the old Let’s Encrypt to the new server.

I heard that copying the contents under /etc/letsencrypt will do the job if the new server will have the same name and IP address. Is it correct? Or, are there any special command that I can use? For example, if I replace the old server with new one and type ‘certbot renew --nginx -d mydomain’, will it work? The old server has certbot version 0.8.1-2 which I believe quite old.

I’d like to also ask another question with account information change. When I looked at regr.json file on the old system, I found that the old email address is used. Is it possible to change it into a new one?

If it’s possible, I’d like to make this migration via commands as possible as I can instead of copying data from here and there. Hopefully, I explained the situation clearly. I would really appreciate any helps. Thanks a lot.

Patches · June 18, 2018, 1:23am

It's important to copy /etc/letsencrypt using a method that preserves ownership, permissions, and symlinks, such as tar or rsync. And the IP address need not be the same. But otherwise this is correct.

You may also need to copy your web server configuration as well, or else you will have to configure SSL manually or run certbot install to install your certificate into the new server.

certbot renew doesn't take these arguments. If you have copied /etc/letsencrypt from your old server, running certbot renew by itself will renew any certificates that are expiring and let you know that certbot is ready to renew the ones that aren't expiring soon.

If you do not copy the contents of /etc/letsencrypt, then you would need to run certbot --nginx -d yourdomain.com but without the renew argument.

certbot register --update-registration --email <new e-mail address>

eoin.kim · June 18, 2018, 1:45am

Hi,

Thanks for your reply.

If you do not copy the contents of /etc/letsencrypt, then you would need to run certbot --nginx -d yourdomain.com but without the renew argument.

So, if I understood your comment correctly, without copying anything, if I just issue a command 'certbot --nginx -d mydomain', this will work, correct (of course, I have to configure NGINX)? If so, what is going to happen to the old certificate and private key and CSR? Do they automatically get revoked or expired?

certbot register --update-registration --email <new e-mail address>

So, I guess I can type this command after certbot --nginx command or maybe I can combine this when I type the command as well?

Sorry for bothering you and thanks very much.

Eoin

Patches · June 18, 2018, 2:34am

Yes, if the server move has been completed and the new server is now listening on the domain.

Certbot will actually configure your certificate in nginx for you automatically when you pass the --nginx argument.

No, your old certificate will continue to work until it expires. There's no need to manually revoke it, either.

Well, if you don't copy /etc/letsencrypt certbot will ask you for your email address again and it won't matter.

It's only if you copied the old account with the old e-mail that you would have to run this to update it.

eoin.kim · June 18, 2018, 2:50am

Thanks @Patches,

That would make my life easier. Let me have a go. Cheers.

Eoin

Osiris · June 18, 2018, 4:57am

Unless the old server is disposed of without properly ereasing the hard drive and thus the private key.

system · July 18, 2018, 4:57am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.