Move to another server


#1

Hello,

If I want to move my domain which has a letsencrypt certificate to another server, what are the steps to do it?

Thanks


#2

Hi @fernandoch

how did you install your certificate? Shared hoster, certbot, cpanel? What has your new server?


#3

With certbot and new server will also have certbot.


#4

In such a case, I would:

  • install the new server
  • copy the two or three certificate files manual, that works always. You can use the same (not expired) certificate with different webservers
  • switch the dns entry
  • if this is done, try (perhaps weeks later) to create a new certificate (running certbot on the new machine).

#5

What files should I copy and where?

And will the new installation know how to update the files?

Why to create a new certificate? What is the goal here?


#6

Hi @fernandoch,

You can copy the entire dir /etc/letsencrypt/ and restore it on your new server.

Old server (as root):

tar zpcvf backup_etc-letsencrypt_2018-Nov-20.tar.gz /etc/letsencrypt/

Now transfer the file to the new server.

New server (as root):

tar zxvf backup_etc-letsencrypt_2018-Nov-20.tar.gz -C /

And you have all the certificates, renewal confs, etc. on your new server.

certbot will use the information saved on renewal conf files /etc/letsencrypt/renewal/* so if the paths to your webroot etc. are the same, you should have no issues, if the paths have changed then you should modify them on the renewal conf files for all your domains, but well all this depends on how you issued your certificates… (using certonly, webroot, apache plugin, nginx plugin, etc.)

Cheers,
sahsanu


#7

A certificate has two or three files, you should find these under

/etc/letsencrypt/live

in the correct folder. So you have two options:

  • copy the whole structure as @sahsanu explained
  • copy only the required files to use the certificate and start new

If you have exact the same configuration (directories to your website), (1) is possible. If you have a different configuration, a fresh installed certbot and a new command may be your option.

If you create a certificate the first time, certbot saves your settings and re-use these to renew. But that requires exact the same configuration. And you must transfer your cron job.


#8

Where is the cron saved as it is not in my crontab…


#9

How did you install certbot on the new server? If you installed it using your operating system’s package manager, it probably installed a cron job and/or a systemd timer along with the package, so you don’t need to add one manually. If you used certbot-auto then you can just create a simple cron job yourself, to run certbot-auto renew twice a day at a random time. The certbot website gives this example:

0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && ./path/to/certbot-auto renew

#10

I found it in /etc/cron.d

This is the line used

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e ‘sleep int(rand(3600))’ && certbot -q renew

What creates that?

I may need to delete the certificate from old server and create a new one in new server… I think it will all be easier.


#11

The package installer (eg apt / yum) creates that file or a similar one when you install certbot from a package. If you’ve already installed certbot on the new server then it should already be there.


#12

Thanks. New server not installed yet. Planning everything.


#13

I just did that… here’s what I did:

  1. Ensure that certbot worked correctly with a test domain on the new server.
  2. Ensured that the existing certificate for the server was good for at least a few more weeks.
  3. Moved the content from the current server to the new server.
  4. Verified the content on the new server works as expected.
  5. Notified my users there was going to be some planned down time while I transitioned to the new server.
  6. Changed the DNS to point the domain name to the new server.
  7. Wait for the DNS to propagate a bit
  8. Run certbot to request a new certificate for the new host.
  9. Verify SSL is working on the new host.
  10. Notify users that the server transition was complete.
  11. Revoke the certificate on the previous server (optional, I think, but make sure it doesn’t auto-renew).

#14

Revocation, by itself, doesn’t prevent autorenewal. In fact, it may make autorenewal happen sooner!

If you don’t want autorenewal on the old server, you should delete the certificate there with certbot delete.

(However, if you were prompted to delete the certificate after revoking it, and you did so, then it won’t autorenew.)


#15

Yes, every time I’ve revoked a cert it asked me if I wanted to delete it … and I did.