Moving and merging certs from Server A to B

I have 2 AWS Ubuntu servers. Each are running a single site. Each have Let’s Encrypt certs installed and are redirecting to https and have nginx in front of them. Let’s encrypt is setup to auto-renew - a setting in crontab.

I’m moving one of the sites to the server with the other site. I need to move Let’s Encrypt certs and files as well. At first I thought that all files were distinct and I could merge the 2 /etc/letsencrypt folders but there are file conflicts.

Anybody have any ideas about the easiest way to move and merge the Let’s Encrypt setup from one server to another that already has another site on it?

Thanks.

@bmw: This is an interesting question, and relates to our recent conversation about storage architectures. @guyellis: Can you share the list of which files exist in both places?

1 Like

@jsha Absolutely, there are 4 files that have the same name in the same folder structure:

/csr/0000_csr-certbot.pem
/csr/0001_csr-certbot.pem
/keys/0000_key-certbot.pem
/keys/0001_key-certbot.pem

One of the servers also has:

/csr/0002_csr-certbot.pem
/keys/0002_key-certbot.pem

which is not duplicated on the other server. If I understand how the auto-update of the certs work then the other server will get this file when it’s up for renewal. Also this list of files will grow over time with auto renewals.

All the other file names that are duplicated are “namespaced” by the domain name in some way. I think that the easiest solution would be to have all potentially duplicated files immediately namespaced with their domain under the /etc/letsencrypt/ folder and only have neutral meta files that relate to the operation of letsencrypt remain in that folder.

This is an interesting question and is something the client team should think more about in the future.

What you should do here is copy over the /etc/letsencrypt/archive, /etc/letsencrypt/live, and /etc/letsencrypt/renewal directories, taking care to preserve the symlinks in /etc/letsencrypt/live during copying.

The files in the /etc/letsencrypt/csr and /etc/letsencrypt/keys are simply named ####_csr-certbot.pem and ####_key-certbot.pem respectively, where #### is an increasing counter. This will create a conflict when trying to merge the files with another /etc/letsencrypt directory.

I wouldn’t worry about copying the other files into /etc/letsencrypt on the other server. You might want to make a backup of the files somewhere, but you won’t need them to move the site to the other server. If you’re curious, the other files in /etc/letsencrypt are:

  • /etc/letsencrypt/accounts contains ACME registration information. Certbot currently doesn’t have great support for multiple ACME accounts and for the protocol as is, it doesn’t matter. This is something you should at the very least keep a backup of though.
  • /etc/letsencrypt/csr contains the CSR we used to get your cert.
  • /etc/letsencrypt/keys contains the private key we generated for your new certificate. Another copy of this is also found in /etc/letsencrypt/archive which you should copy over.
6 Likes

And just to confirm that no change is needed in the auto-renew?

i.e. in crontab I have:

... certbot-auto renew --quiet --no-self-upgrade

How does it know which certs to update?

It will be renewed if it has a .conf file in /etc/letsencrypt/renewal/ and has less than 30 days remaining

1 Like

@cool110 is correct. Certbot will examine the contents of your /etc/letsencrypt directory to determine if your certificates are due for renewal. If you’d like to test that everything is working, you can run certbot-auto renew --dry-run.

1 Like

Great idea about the --dry-run @bmw - I’d forgotten about that param.

So when I ran it I got a warning:

WARNING:certbot.renewal:Attempting to renew cert from 
/etc/letsencrypt/renewal/domain.com.conf produced an unexpected
 error: Missing command line flag or config entry for this setting:
Please choose an account

The .../renewals folder now has 2 .conf files in it. One from each of merged trees. Looking at the contents of those 2 .conf files they can’t be merged without conflict. Should there be 2 files in .../renewals for 2 certs?

Yes. There should be a file in /etc/letsencrypt/renewals for each directory in /etc/letsencrypt/live. There should be a line in each configuration file like:

account = <hash>

You should modify these files so that <hash> is the name of the directory found in /etc/letsencrypt/accounts/acme-staging.api.letsencrypt.org/directory/. Only one of these files should need to be modified.

1 Like

That worked. I removed the other directories from site B that were no longer needed after updating the account hash. Everything tests okay. Thanks for all the help everyone!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.