Moving to a new server - testing with moved certificate first

Hello!

I’d like to test a new version of Linux for a webserver as some people have troubles using it.
So I set up a new server and would like to test if it generally works. I’d like to move the “old” certificate to the new server and then switch the router to the testserver if things work. If not, I’d like to be able to switch back quickly. Therefore I’d need to use the old certificate in the new server.

I managed to move the certificate files (as described in https://ivanderevianko.com/2019/03/migrate-letsencrypt-certificates-certbot-to-new-server ).
However, the necessary modifications in apache which normally are done by calling “sudo certbot --apache” are not done on my machine, so SSL is not activated. Is there a trick to get letsencrypt to do that without generating a new certificate? (as this would make the certificate on the “original” server invalid, right?)

Thanks in advance!
R.

My domain is: ralfiii.hopto.org

My web server is (include version):
apache/2.4.29

The operating system my web server runs on is (include version):
LinuxMint 19.3

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 0.31.0

1 Like

I don’t know that certbot can process the apache modifications without an actual renewal attempt; perhaps it can, others may know more about that here.
I do think that you could copy the apache config from the old system and try it on the new (if they are similar enough, it should work).
As for the invalidation of the previous cert, that will NOT happen - only time will expire it.

1 Like

The necessary modifications to your apache setup are easy enough to do without involving certbot at all. Probably the easiest way to handle this is to copy the SSL setup directives from your working server to the new test server.

There should be a file /etc/httpd/conf.d/ssl.conf on your system, which has the setup for any SSL-enabled virtual hosts. You will need to define one on your test system, thus:

<VirtualHost {your_IP_address}:443>
....
</VirtualHost>

Probably you will be able to find the corresponding definition in your existing server. Within this Virtual Host container, you will probably need to adjust file paths for

SSLCertificateFile
SSLCertificateChainFile
SSLCertificateKeyFile

There is not a problem usually with moving an existing certificate to a new server; the certificate is tied to the domain name(s) in it, not to any particular IP address.

1 Like

certbot install --apache

1 Like

Ah, thanks 9peppe, that sounds promising.
Doing so certbot first asks which certificate I’d like to install and suggests the right one (“ralfiii…”).
I select it, then I get the following error message:
Path to certificate or key was not defined. If your certificate is managed by Certbot, please use --cert-name to define which certificate you would like to install.

What do I do now?
Thanks!!!

I read the tutorial you followed. It’s wrong. You need to move the whole /etc/letsencrypt directory. (if there’s not one already on the new server), or at least move /etc/letsencrypt/renewal too.

You moved the certificates but not certbot’s config files that tell it what to do.

I just looked on the new installation. There the folder “renewal” exists (I didn’t create it) and the file inside is binary identical to the one on the old server.
so that doesn’t seem to resolve the problem.

I copied the letsencrypt folder:
On the server: sudo tar -chvzf leold2.tar.gz /etc/letsencrypt
On the client (after removing the old folder): sudo tar -xvf ~/leold2.tar.gz
Still same error message.

go for certbot install with no options.

but mainly, does certbot renew --dry-run work?

Being completely desperate, I tried something different.
I’ve set up a fresh server, installed apache and simply installed letsencrypt as if it was a brand new server (with “sudo certbot --apache”. This generated a new certificate (??? or it just retreived to old one, I don’t know how these things work). And now it works, I can connect to that new server from the outside, the certificate is valid.
And I can switch with the router to the other (old) server, that also works and doesn’t show any errors.
Both certificates seem to work in parallel. I thought issuing a new certificate would render the old certificate useless. But it seems that is not the case.
Is this a terrible approach? Am I killing something this way?
Thanks for all your effort!
Ralf

No, I’d say it’s the recommended one.

Autorenew will only work on one machine, though.