Query about restoring from backup

Say my certificate is due for renewal in 10 days time.
I create a “backup / snapshot / image” of my VPS server, and then renew my certbot letsencrypt ssl certificates (eg certbot-auto renew) ,

If I somehow mess up my certificates and break them (god forbid) , will my certificates still be valid if I were to restore the snap shot / backup / image of my server, or are they voided in a remote location at the point I screwed them up?

Just want a bit of peace of mind, as usually ive got just www. and the root domain to renew which is fine, but one of my sites uses wildcard domains, last time I ran the renewal it asked me to set up DNS records, so I copied from the ssh putty terminal the TXT records, then it messed up the configuration thinking I pressed enter when I was copying it, it just all gets a mess.
Thanks for any clarification.

1 Like

Hello Matthew :slightly_smiling_face:

It is not actually possible to mess up your certificate (other than corruption/loss/compromise of its private key or deliberate revocation of the certificate itself). In fact, you can always see all of your issued certificates at https://crt.sh and even download copies of them! What you CANNOT do is get copies of your private keys for obvious reasons.

I suspect that it wasn’t the DNS TXT record part that caused the configuration change since you were using manual dns-01 verification. Was the ACME client you were using configured to “install” the certificate (according to some webserver specification like apache or nginx)? That’s almost always what breaks configurations.

Anyhow, no worries and THANK YOU for being intelligent and courteous in backing up your certificates (and private keys). You probably have no idea how many times a day around here we get people who have issues and destroyed 5 certificates in 24 hours and need to wait a week get another.

One last thought…

If you backup before renewing your certificates, the private key for your new certificate would be on your server that hasn’t been backed-up. If that key were lost/compromised, you would not be able to use that new certificate, but when you restore your previous certificate, you would be fine to simply renew again. You might lose https temporarily if your certificate lapsed in the meantime though. Just don’t make it a habit of losing your private keys and having to reissue “identical” certificates (only varying by private key) because you can run into rate limitations if you do it too often.

Thanks Griffin
I have run certbot certificates to see my due certificates,

    Found the following certs:
  Certificate Name: franchiseek.com
    Domains: *.franchiseek.com franchiseek.com
    Expiry Date: 2020-10-01 07:58:55+00:00 (VALID: 14 days)
    Certificate Path: /etc/letsencrypt/live/franchiseek.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/franchiseek.com/privkey.pem
  Certificate Name: uk-franchises-for-sale.co.uk-0001
    Domains: uk-franchises-for-sale.co.uk www.uk-franchises-for-sale.co.uk
    Expiry Date: 2020-06-23 12:00:43+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/uk-franchises-for-sale.co.uk-0001/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/uk-franchises-for-sale.co.uk-0001/privkey.pem

I can see from my VPS that I ran a few commands when the certificates were last due, these were
certbot install
and
sudo certbot certonly --manual --preferred-challenges=dns --email matt@franchise-uk.co.uk --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.franchiseek.com -d franchiseek.com

The uk-franchises-for-sale domain is no longer needed so I have left that one expired.
Please can you let me know which command I need to run in order to renew the certificate expiring in 14 days?

I ran the just the query certbot renew however it failed with
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration. The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',) Attempting to renew cert (franchiseek.com) from /etc/letsencrypt/renewal/franchiseek.com.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration. The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.

Thanks in advance.

1 Like

All of that error was as expected. :wink: You used certonly so of course there’s no installer. What webserver software are you using? I can make your life LOADS easier.

You can run this to safely delete the unneeded certificate:

sudo certbot delete --cert-name uk-franchises-for-sale.co.uk-0001

I’m using Apache2 on Ubuntu 18 lts
The site (franchiseek.com) uses gtranslate.io as a cname for many of the wildcarded subdomains, however I still require the *.franchiseek.com in my certificate.

1 Like

Perhaps try this:

sudo certbot -a manual --preferred-challenges dns --email matt@franchise-uk.co.uk -d franchiseek.com,*.franchiseek.com -i apache

This will install your certificate too. If you want to use renew, you need to have hooks to do the work for you. Instead, you can use the following command to have it “recall” your previous configuration:

sudo certbot run --cert-name franchiseek.com

Cheers, the dns one seems to have renewed the certificates and everything is working as expected until December.

With the certbot run query you have put there, will that cover the wildcard subdomain as well, and if so I wont have to run the dns challenges each time (thereby being able to stick it in a cron job)?

1 Like

Unfortunately, no. That is what the hook script is needed for (because cron jobs are non-interactive). Although challenge authorizations are cached for 30 days, when it comes time to renew you will need new TXT records. You probably know that you can delete the TXT records immediately after a successful issuance. If you want to automate the renewals fully, you need to either use the --manual-auth-hook and --manual-cleanup-hook to do that (or use something with CNAMEs like acme dns).

No problem, thanks for your help. I’ll bookmark this topic and use that DNS challenge thing each time.
Have a good evening.

1 Like

By the by, franchiseek.com appears to currently be serving a Cloudflare certificate.

A couple references for you:

Thanks, when it’s time to renew I must keep the servers certificates up to date, then re enable cloudflare. As the renewals don’t seem to work when proxied

Keep in mind that you’re currently serving a Cloudflare certificate though, meaning that your Let’s Encrypt certificate isn’t doing anything. :slightly_smiling_face:

The LetsEncrypt certificate is encrypting the connection between Origin (the Server) and Cloudflare. Many Cloudflare users find it easier to use Cloudflare’s Origin CA instead. See https://support.cloudflare.com/hc/en-us/articles/203295200-End-to-end-HTTPS-with-Cloudflare-Part-2-SSL-certificates#h_29c6ff05-9738-49ba-85e4-d72a1b4dc1ef

The Certificates are only voided if they are explicitly revoked. You can backup the /etc/letsencrypt directory and unarchive it as needed, or migrate it between servers.

2 Likes