Move certificate to other server


#1

Hi,

I have installed the apache certificate on one of my server which is working fine with DNS. I have created another copy of the same server which placed at some other place which doesn’t have an internet connection. Is it possible to generate the certificate on another server by copying all files from the working server? Please suggest steps I have to follow for this or the way out. Currently, it seems that apache certificate generate also added some changes in apache files so please specify those files also.


#2

The certificate and related files are stored under /etc/letsencrypt/, and it’s generally safest to copy this entire directory (taking care to preserve the symbolic link structure inside it) rather than trying to extract individual certificates.

The changes made to Apache configuration files vary slightly based on the operating system, but generally it ensures that mod_ssl is enabled and Apache is listening on port 443, and adds a <VirtualHost> on port 443 that is a copy of the existing one on port 80 with some SSL* directives added - usually in a copy of the existing virtual host file with -le-ssl added to the filename.

Note that Let’s Encrypt certificates expire after 90 days and certbot renews them after 60 days by default, so if you want to have valid certificates on the second machine at all times, you’ll have to repeat the copying process at least that often.

This is assuming you have no internet connection at all - if you have at least an outgoing connection, or a connection to the other server, there are a few other options that might be easier in the long run.


#3

Thanks for the reply. Is it be ok if we renew certificate on second server by limited internet access to the server. OR is it compulsory to copy the certificate from first server all the time?


#4

It depends what exactly you mean by “limited internet access”. Can it connect to the other server? Can it connect out to the internet? Can the other server connect back to it?

If your DNS service has an API that allows you to make scripted updates, then you can use DNS validation to renew the certificate on the second server.

If you can configure the first server to proxy requests for /.well-known/acme-challenge/* paths to the second server, then Certbot should be able to renew normally on the second server. Certbot’s apache plugin should be able to bypass this proxying when renewing the first server’s own certificate.

Another option, if you use the --reuse-key option when renewing the cert on the first server, then you only need to get the new certificate onto the second server, you don’t also need to copy the private key again in that case. So you can use a less secure method of copying, such as connecting to the live server and extracting the certificate using openssl, or downloading it from crt.sh.

If none of these options works for you, you can just copy everything from the first server to the second every time. If there is a network connection between them you may be able to automate this e.g. certbot’s --deploy-hook option allows you to specify a script that runs after every successful renewal. Be careful to use a secure method of copying if you are indeed copying the private keys.


closed #5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.