I have inherited an application server that is extremely faulty. I’ve migrated the Application to a new server, and all that remains is to migrate Let’s Encrypt.
The certificate has expired, and therefore requires renewal, however, I cannot execute this on the new server because Let’s Encrypt (rightly) fails the authentication, explaining that the domain name resolved to an incorrect host.
I have copied the /etc/letsencrypt directory to the new server, however, sadly, it’s still not happy with IP addresses…etc.
Is it possible to “migrate” LE onto a new server in this way? If so, does anyone know how this might be possible?
Have a look at the renewal configuration folder \etc\letsencrypt\renewal
The fact you registered with the same email ID doesn’t matter. Let’s Encrypt provides and account key which you should be able to find under /etc/letsencrypt/accounts/
What I think you will find is that you didn’t copy the /etc/letsencrypt/accounts/ from you old server to your new server
When certbot is trying to do the renewals it’s try to find an account on the new server that doesn’t exist
You have two options
A) copy the account folder from your old server to your new server
B) Update the renewal config files with your new account ID
Migrations generally should be thought out otherwise you will get in to trouble
Certbot knows what account created the cert and tries to use the same account at renewal time
@ahaw021 - I too was wondering if it is worth revoking the certs to remove them from LE’s PKI and then add them anew from the new server. Is this not a good plan? (Obviously, for me at this stage, this is theoretical).
The web PKI allows an unlimited number of certificates with overlapping coverage and overlapping validity to exist. A certificate really only needs to be revoked if some responsible party learns that the certificate has become inaccurate. It doesn't need to be revoked in order to create additional certificates that cover the same domain name(s).
You’re using Certbot? In that case you should specify the certificate name with --cert-name (you can find it by running certbot certificates) and specify the new complete domain list with -d options (omitting the name that you no longer want to see included).
Is the global DNS record for www.xxxx.com pointing at the server you’re trying to execute the command on? Because this is the same message I’m getting and I haven’t corrected the DNS issue yet.
This error means that Certbot was not able to reconfigure your web server to pass the challenge, but thought that it succeeded. (That could be caused by not running Certbot on the web server machine itself, but also by other reasons.) Any idea why this might be?
To use a certificate, you need the corresponding private key. The certificate authority never possesses it, so if you don’t have a copy, that certificate is totally unusable.
If you’d like to look into what’s going on with the failed authorization, could you tell us what command you ran and also post the log file from /var/log/letsencrypt?