Migrating Certbot and Certificates Between Servers

I have inherited an application server that is extremely faulty. I’ve migrated the Application to a new server, and all that remains is to migrate Let’s Encrypt.

The certificate has expired, and therefore requires renewal, however, I cannot execute this on the new server because Let’s Encrypt (rightly) fails the authentication, explaining that the domain name resolved to an incorrect host.

I have copied the /etc/letsencrypt directory to the new server, however, sadly, it’s still not happy with IP addresses…etc.

Is it possible to “migrate” LE onto a new server in this way? If so, does anyone know how this might be possible?

Mosheh

hi @moshehbwc

Fixing your global DNS to point to the new server seems to be the logical step to solve this

Andrei

Hi @ahaw021

I’ll give it a go and let you know how I get on.

Mosheh

I am on the same boat right now.

DNS is updated.
I revoked cert from old server and deleted it too.

Now on new server, it is giving me error for "unauthorised’

Any other process to update the acme registration to revoke that cert?
Any suggestions??

FYI: I registered with same email id on both the servers

Thanks

hi @trickmyidea

Have a look at the renewal configuration folder \etc\letsencrypt\renewal

The fact you registered with the same email ID doesn’t matter. Let’s Encrypt provides and account key which you should be able to find under /etc/letsencrypt/accounts/

What I think you will find is that you didn’t copy the /etc/letsencrypt/accounts/ from you old server to your new server

When certbot is trying to do the renewals it’s try to find an account on the new server that doesn’t exist

You have two options

A) copy the account folder from your old server to your new server
B) Update the renewal config files with your new account ID

Migrations generally should be thought out otherwise you will get in to trouble

Certbot knows what account created the cert and tries to use the same account at renewal time

Andrei

also what is the point of revoking certificates?

Do you understand the purpose of revocation and when it should be used?

Andrei

Thanks,

My idea was to remove and re-create the certificates on new server.

As I have issues the delete on certbot, I do not have renewal folder.

Let me try copying the account and see if I can recreate or revoke the certificate.

FYI: I am able to find the pem file from crt.sh site. Hopefully, I will be able to delete it completely.

Will update soon.

Thanks

Reason of revoke was to split domains from one certificate as they were moved to different machines now

@ahaw021 - I too was wondering if it is worth revoking the certs to remove them from LE’s PKI and then add them anew from the new server. Is this not a good plan? (Obviously, for me at this stage, this is theoretical).

The web PKI allows an unlimited number of certificates with overlapping coverage and overlapping validity to exist. A certificate really only needs to be revoked if some responsible party learns that the certificate has become inaccurate. It doesn't need to be revoked in order to create additional certificates that cover the same domain name(s).

1 Like

That's extremely helpful. Thank you, Schoen.

1 Like

Thanks, I get it now.

Though, I am not sure if existing one continues to renew for both the domains. Any clues on removing one domain from cert?

Trying to generate a new cert with --duplicate

You’re using Certbot? In that case you should specify the certificate name with --cert-name (you can find it by running certbot certificates) and specify the new complete domain list with -d options (omitting the name that you no longer want to see included).

Thanks @schoen

I was able to create a separate cert for one using --cert-name but when I tried to create new cert for other domain, it comes back with the issue

Failed authorization procedure. www.xxxx.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested f90218b37f9dbefb7a3109575f90e9d9.2de73aa87a936d8b8ecb1a2b9da88a2a.acme.invalid from :443. Received 1 certificate(s), first certificate had names ".yyyy.com, yyyy.com", xxxx.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 935f323e318c42010a9228f37.77e3cf65fef3862c5a9f2eceddbb0939.acme.invalid from :443. Received 1 certificate(s), first certificate had names ".yyyy.com, yyyy.com"

Looks like account authorization issues. Any suggestions?

FYI: I have both accounts on same machine. Obviously, copy of account folder

Thanks

Is the global DNS record for www.xxxx.com pointing at the server you’re trying to execute the command on? Because this is the same message I’m getting and I haven’t corrected the DNS issue yet.

Yes, DNS has been updated and propagated. Verified it on https://www.whatsmydns.net/

This error means that Certbot was not able to reconfigure your web server to pass the challenge, but thought that it succeeded. (That could be caused by not running Certbot on the web server machine itself, but also by other reasons.) Any idea why this might be?

I am not sure of other issues.

I tried to find the certificate from crt.sh and can see that other domains referred in the error are not listed. Cert is still active.

I see two options:

  • Delete that cert from repo & Create new one
  • Get that downloaded using certbot

But no clue on how to achieve either :worried:

To use a certificate, you need the corresponding private key. The certificate authority never possesses it, so if you don’t have a copy, that certificate is totally unusable.

If you’d like to look into what’s going on with the failed authorization, could you tell us what command you ran and also post the log file from /var/log/letsencrypt?

Command & Output
Command-Output.txt (1.9 KB)

Log file
letsencrypt.txt (31.5 KB)