Move Letsencrypt cert from Cpanel server to non-Cpanel server


I need to move a letsencrypt certificate from a cpanel server to non-cpanel server and am not quite sure what to do with a few parts.

The new server is dedicated and I have complete access to, it is already running a separate letscencrypt cert for a different domain, so certbot is all setup and running great. (Ubuntu 20.x/Apache)

The site/cert I need to move to this new server is on a Cpanel/Hostgator shared server, and it also has a letsencrypt cert. I was able to copy the actual cert .pem files to /archive/domain-name directory (cert1, cert2, etc) as well as the private keys. I am not sure where to get the chainX.pem and fullchainX.pem files, or what to use here or ....

what (if anything) goes in the

/etc/letsencrypt/live directories.

I've moved plenty of sites/certs from server to server without any issues, but never from a Cpanel/letsencrypt setup - I do have access to the WHM manager also. I do not have access to DNS for these domains as these are sub-domains for a client, they are a large company so I can get them to change the A record when I switch over but it may be difficult to add other records.

Thanks in advance

1 Like

Probably not the best implementation of your idea.
It is best to leave everything within the /etc/letsencrypt/ folders to certbot to handle.

Moving into a new server without certbot would be very simple = copy the entire folder.
But since you already have existing files... it requires a merger.
[which isn't a simple process]
If you are talking about a single FQDN, then I would:

  • just place the cert & key in a newly created temp folder
  • configure the web service to use that cert

Then once it has been moved over:

  • have certbot actually obtain a new cert for it (with certonly)
    [yes new, certbot knows nothing about the temp cert in use, so this is not a renewal to it (yet)]
  • configure the web server to use the new cert
  • delete the temp folder and old(er) cert
  • revise the new renewal.conf file as needed, if needed.
    [Why? certonly doesn't add in any extra details that you might require]

If there are many FQDNs, then... reply back with that.


If you can't find them on the server, you can just build them yourself.

Visit Chain of Trust - Let's Encrypt

You can download the current active root and leafs in PEM format.

  • chainX is just the intermediate (LetsEncryptR3)
  • fullchainX is your cert + newline + the chain. assuming the cert ends with a newline, you can just do cat certX.pem chainX.pem > fullchainX.pem

If you are still using the DST chain, then chainX is (LetsEncryptR3 Cross Signed)

Edit: I was in a rush and wrote "leaf" instead of "intermediate" and added an unnecessary root. thanks @griffin


This worked, thank you.


For useful reference to go with @jvanasco's instructions...

Current default fullchain.pem (assumes already in trust store):

leaf certificate

Current alternate fullchain.pem (assumes already in trust store):

leaf certificate

Old default fullchain.pem (don't use unless absolutely necessary) (assumes already in trust store):

leaf certificate

In all three cases, cert.pem contains your leaf certificate and chain.pem contains the remaining certificate(s) in the list.


Thank you, I am adding these to my notes


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.