A couple of months ago, I set up a LE cert using a DNS01 challenge on a Debian 9 host.
This Debian 9 host died a couple of days ago.
I can't directly check which certbot version was running on it.
This cert was copied on several Freeradius instances requiring a cert.
I would like to port the LE cert renewal process on a different host.
For this, I'm planning to reuse a Debian 11 host I currently manage another LE cert (with an HTTP01 challenge). On this Debian 11 host, certbot 1.12.0 is installed.
I've go a full backup of /etc/letsencrypt directory from Debian 9 host.
I'm thinking of
copying some backed-up files to the new Debian 11 host
forcing once, by hand, the old cert renewal
leaving certbot renewing both certs (the HTTP01 and the DNS01 ones)
Can this be done ?
I was thinking of just copying the following files or directories:
/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/ into /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/
/etc/letsencrypt/renewal/.conf into /etc/letsencrypt/renewal/
/etc/letsencrypt/renewal-hooks/deploy/script1.sh into /etc/letsencrypt/renewal-hooks/deploy
Do I need to copy some content from /etc/letsencrypt/archive or /etc/letsencrypt/live ?
Do I need to /etc/letsencrypt/accounts/acme-staging-v02.api.letsencrypt.org/
Looking at csr and keys directories, I see a bunch of files bearing similar names on both hosts. Shall I care about this ?
I don't recommend merging some Certbot folders from one system to another.
Just request a new cert on the Debian 11 system. The DNS Challenge will not interfere with your existing cert using the HTTP Challenge.
The only unusual item is the script1.sh renewal hook. Having it in that folder means it applies to every cert that Certbot is managing on that machine. If it isn't appropriate to run it for your HTTP Challenge cert you could modify the script so it is. Or, just use --deploy-hook on the command when using the DNS Challenge for new cert. Ask more questions if you are not sure.
I don't understand that question. You said you used the DNS Challenge on the Debian 9 system. And, that you just want to move that cert request process to Debian 11. You can get a cert using DNS Challenge on any machine. You could get 10 certs with different names on the same system. Now, where you use those certs and how is a different story. But, you were just asking about the cert renewal.
If you share your actual domain names this would have been easier
But, don't you just copy this DNS Challenge cert to your FreeRadius systems ?
And, what did that deploy hook do? Did it copy the cert to those systems?
That is going to make automating your renewals unpleasant. Have you looked into using a DNS service that works with automation? Others here can probably give you a good review of using acme-dns as one way of introducing automation to your existing DNS.
Edit: ignore this reply. I didn't read enough of the command that I selectively quoted to notice that acme-dns was being used. I only use HTTP-01 challenges with certbot. My DNS‐01 challenges are handled by another ACME client.
Thank you for pointing that out. I, of course, stopped reading when I saw --manual and didn't notice acme-dns-auth.py until reading it again after your reply.
