Moving working certbot to a new server

rfink · December 29, 2022, 6:23pm

The existing server (where certbot is installed and working) needs to be replaced. I can replace it with a new instance of the same local hostname, DNS name, and IP. However, I don't know exactly what files to copy and restore to the new server so that it will be able to renew our certs when the time comes. I see several in /etc/letsencrypt, but please let me know if others exist. I have about 30 days before I must renew our certs.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: search.usa.gov and many SANs

I ran this command: Nothing yet

It produced this output: haven't run a command yet

My web server is (include version): apache 2.4

The operating system my web server runs on is (include version): ubuntu 18.04

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.27.0

Osiris · December 29, 2022, 6:32pm

Just migrating /etc/letsencrypt/ entirely should be just fine. Make sure you use a method that preserves symbolic links.

rg305 · December 29, 2022, 6:59pm

And also "copy" the cronjob that runs certbot [or create a new one] if one is not already there.

rfink · December 29, 2022, 7:08pm

Good to know, thank you Osiris!

rfink · December 29, 2022, 7:12pm

Good point rg305! When I tested installing certbot on a new server it did create a new cron job, but I didn't compare it to the old one. We do take advantage of that job to attempt auto-renew, but unfortunately we have so many SANs that one or more of them always gives an issue that needs to be resolved before renew can complete successfully.

I'll be sure to document and recreate the existing cron job.

Osiris · December 29, 2022, 7:43pm

Depending on how Certbot was installed, the systemd timer or cronjob would have been installed with it.

rg305 · December 29, 2022, 11:50pm

Have you considered splitting the single cert(s) into many [more] certs?

rfink · December 30, 2022, 4:13pm

Right now our architecture won't support that, but yes it is a thing we will have to do at some point, since parts of AWS only support 100 SANs on a cert.

system · January 29, 2023, 4:14pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Migrating to new server, keeping domain name--best method? Help	4	1194	February 25, 2018
Migrate certificare to new server Help	2	2706	November 3, 2016
Moving certs from one server to another Server	3	5748	April 9, 2017
Copy /etc/letsencrypt or regenerate to move? Help	7	4477	January 30, 2021
Moving to new machine - want to keep certificates Server	2	793	March 27, 2019

Moving working certbot to a new server

Related topics