Moving working certbot to a new server

The existing server (where certbot is installed and working) needs to be replaced. I can replace it with a new instance of the same local hostname, DNS name, and IP. However, I don't know exactly what files to copy and restore to the new server so that it will be able to renew our certs when the time comes. I see several in /etc/letsencrypt, but please let me know if others exist. I have about 30 days before I must renew our certs.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: search.usa.gov and many SANs

I ran this command: Nothing yet

It produced this output: haven't run a command yet

My web server is (include version): apache 2.4

The operating system my web server runs on is (include version): ubuntu 18.04

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.27.0

Just migrating /etc/letsencrypt/ entirely should be just fine. Make sure you use a method that preserves symbolic links.

7 Likes

And also "copy" the cronjob that runs certbot [or create a new one] if one is not already there.

7 Likes

Good to know, thank you Osiris!

2 Likes

Good point rg305! When I tested installing certbot on a new server it did create a new cron job, but I didn't compare it to the old one. We do take advantage of that job to attempt auto-renew, but unfortunately we have so many SANs that one or more of them always gives an issue that needs to be resolved before renew can complete successfully.

I'll be sure to document and recreate the existing cron job.

3 Likes

Depending on how Certbot was installed, the systemd timer or cronjob would have been installed with it.

6 Likes

Have you considered splitting the single cert(s) into many [more] certs?

5 Likes

Right now our architecture won't support that, but yes it is a thing we will have to do at some point, since parts of AWS only support 100 SANs on a cert.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.