LetsEncrypt Cert Files Copied to New Server

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
sbcsepla.org sbcselpa.org

I ran this command:
sudo certbot renew --dry-run

It produced this output:
[sudo] password for cniadmin:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

No simulated renewals were attempted.

My web server is (include version):
Apache/2.4.62 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 24.10

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 3.1.0

We migrated the site to a new server and the LetsEncrypt cert files were copied over. We want to set up auto-renewal and it looks like certbot doesn't know about the cert files on this server since they were copied over.

What would be the most appropriate and clean way to handle this scenario?

Thanks,
Kristen

2

Make sure the files were copied properly by looking at the /etc/letsencrypt/ directory on the new server.

I assume the command sudo certbot certificates doesn't show any certificates?

1 Like
3

This is what I get with the sudo certbot certificates command:

cniadmin@cni-wordpress-selpa:~$ sudo certbot certificates
[sudo] password for cniadmin:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

No certificates found.

This is what is in the /etc/letsencrypt folder:

accounts
cli.ini
options-ssl-apache.conf
renewal-hooks

The cert files for the site are in a different folder: /etc/ssl/...

4

Hi @kristenannie, I am not finding that domain name exists.
https://dnsviz.net/d/sbcsepla.org/dnssec/

Edit

And using the online tool Let's Debug yields these results https://letsdebug.net/sbcsepla.org/2362720

image
image1017×396 19.2 KB

5

What does the directory of that look like?

Check the cron on the old server; you may have invoked certbot with a --config-dir=/etc/ssl flag, or similar. if that is the case, you need to copy that directory to the new server and either overwrite the /etc/letsencrypt or put it in /etc/ssl and invoke certbot with the requisite flags.

it is also possible that certbot wasn't managing those certs, and another client was. check the crons on the other server to see what was running and how.

2 Likes
6

Sorry, typo, it's sbcselpa.org.

1 Like
7

When I type the command "sudo certbot certificates" on the server it was copied from, it sees the cert:

Certificate Name: sbcselpa.org
Serial Number: 3d682d6bbe2c865fcb04e2671a8d78946c7
Key Type: RSA
Domains: sbcselpa.org www.sbcselpa.org
Expiry Date: 2025-03-02 18:04:37+00:00 (VALID: 18 days)
Certificate Path: /etc/letsencrypt/live/sbcselpa.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/sbcselpa.org/privkey.pem

8

That /etc/ssl/ has these folders/files:

cert.pem certs key.pem openssl.cnf private sbcselpa.org

sbcselpa.org contains:

fullchain.pem
privkey.pem

9

Please show the output of sudo apachectl -t -D DUMP_VHOSTS.

10

That directory looks like it was manually constructed from the LetsEncrypt files or copied over by a script.

Check the /etc/letsencrypt directory on the old server. I wonder if all the files are there, but perhaps you did not have adequate permissions when copying files over.

That's the last thing I can think of in terms of possible errors. There are others here who are more familiar with Certbot.

3 Likes