Move to another server

fernandoch · November 20, 2018, 10:48am

Hello,

If I want to move my domain which has a letsencrypt certificate to another server, what are the steps to do it?

Thanks

JuergenAuer · November 20, 2018, 11:12am

Hi @fernandoch

how did you install your certificate? Shared hoster, certbot, cpanel? What has your new server?

fernandoch · November 20, 2018, 1:28pm

With certbot and new server will also have certbot.

JuergenAuer · November 20, 2018, 3:06pm

In such a case, I would:

install the new server
copy the two or three certificate files manual, that works always. You can use the same (not expired) certificate with different webservers
switch the dns entry
if this is done, try (perhaps weeks later) to create a new certificate (running certbot on the new machine).

fernandoch · November 20, 2018, 4:00pm

What files should I copy and where?

And will the new installation know how to update the files?

Why to create a new certificate? What is the goal here?

sahsanu · November 20, 2018, 4:19pm

Hi @fernandoch,

You can copy the entire dir /etc/letsencrypt/ and restore it on your new server.

Old server (as root):

tar zpcvf backup_etc-letsencrypt_2018-Nov-20.tar.gz /etc/letsencrypt/

Now transfer the file to the new server.

New server (as root):

tar zxvf backup_etc-letsencrypt_2018-Nov-20.tar.gz -C /

And you have all the certificates, renewal confs, etc. on your new server.

certbot will use the information saved on renewal conf files /etc/letsencrypt/renewal/* so if the paths to your webroot etc. are the same, you should have no issues, if the paths have changed then you should modify them on the renewal conf files for all your domains, but well all this depends on how you issued your certificates... (using certonly, webroot, apache plugin, nginx plugin, etc.)

Cheers,
sahsanu

JuergenAuer · November 20, 2018, 4:41pm

A certificate has two or three files, you should find these under

/etc/letsencrypt/live

in the correct folder. So you have two options:

copy the whole structure as @sahsanu explained
copy only the required files to use the certificate and start new

If you have exact the same configuration (directories to your website), (1) is possible. If you have a different configuration, a fresh installed certbot and a new command may be your option.

If you create a certificate the first time, certbot saves your settings and re-use these to renew. But that requires exact the same configuration. And you must transfer your cron job.

fernandoch · November 20, 2018, 4:52pm

Where is the cron saved as it is not in my crontab…

jmorahan · November 20, 2018, 6:25pm

How did you install certbot on the new server? If you installed it using your operating system’s package manager, it probably installed a cron job and/or a systemd timer along with the package, so you don’t need to add one manually. If you used certbot-auto then you can just create a simple cron job yourself, to run certbot-auto renew twice a day at a random time. The certbot website gives this example:

0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && ./path/to/certbot-auto renew

fernandoch · November 21, 2018, 4:42pm

I found it in /etc/cron.d

This is the line used

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a ! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew

What creates that?

I may need to delete the certificate from old server and create a new one in new server... I think it will all be easier.

jmorahan · November 21, 2018, 5:12pm

The package installer (eg apt / yum) creates that file or a similar one when you install certbot from a package. If you've already installed certbot on the new server then it should already be there.

fernandoch · November 21, 2018, 5:46pm

Thanks. New server not installed yet. Planning everything.

fallingrock · November 26, 2018, 3:13pm

I just did that… here’s what I did:

Ensure that certbot worked correctly with a test domain on the new server.
Ensured that the existing certificate for the server was good for at least a few more weeks.
Moved the content from the current server to the new server.
Verified the content on the new server works as expected.
Notified my users there was going to be some planned down time while I transitioned to the new server.
Changed the DNS to point the domain name to the new server.
Wait for the DNS to propagate a bit
Run certbot to request a new certificate for the new host.
Verify SSL is working on the new host.
Notify users that the server transition was complete.
Revoke the certificate on the previous server (optional, I think, but make sure it doesn’t auto-renew).

schoen · November 26, 2018, 8:03pm

Revocation, by itself, doesn't prevent autorenewal. In fact, it may make autorenewal happen sooner!

If you don't want autorenewal on the old server, you should delete the certificate there with certbot delete.

(However, if you were prompted to delete the certificate after revoking it, and you did so, then it won't autorenew.)

fallingrock · November 26, 2018, 8:53pm

Yes, every time I’ve revoked a cert it asked me if I wanted to delete it … and I did.

system · December 26, 2018, 8:53pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Let's Encrypt on a new server Server	6	1549	July 18, 2018
Migrating to new server, keeping domain name--best method? Help	4	1194	February 25, 2018
Move Letsencrypt cert from Cpanel server to non-Cpanel server Help	6	1324	September 25, 2021
Migrate certificare to new server Help	2	2706	November 3, 2016
How to transfer only one domain's SSL certs to a different server? Server	7	13770	October 19, 2016

Move to another server

Related topics