Renew or issue new certificate?

Currently our ssl certificate is installed on IIS web server and will expire on next week, we are planning to migrate the web server from IIS web server to centos apache web server, what command do i need to run, do i need to issue a new certificate or is it renewal process?

Hi @jzed, and welcome to the LE community forum :slight_smile:

You will have to install an ACME client compatible with your version of CentOS [to automate the renewal process].
If you want to run the new web server immediately upon the change, you will have to export/import the certificate in advance.
If you are not too concerned with a bit of downtime, you can run the ACME client once the change is made and allow CentOS to obtain its' own certificate.


The term "renewal" or "renewing" is actually dependend on the context. E.g., for the Let's Encrypt ACME server, a "renewal" is any newly issued certificate with an identical set of hostnames (order doesn't matter) in the SAN extension. (I'm not sure but I think RSA vs. ECDSA would matter to.) It doesn't matter to the Let's Encrypt server if that first certificate was on the North Pole and the newly issued certificate on Antartica: it does not know that and it doesn't care.

However, for an ACME client, "renewing" is getting a new certificate for an already issued certificate by that same ACME client. If a different ACME client would issue a certificate with the same set of hostnames, the first ACME client wouldn't know about it, and wouldn't think the cert had been renewed.

So context, as usual, matters.


This is our plan:

  1. Install new apache web server in centos7 and transfer all files to that server; configure vhost file; configure firewall.
  2. Install certbot utility on centos7
  3. Then on DNS registry change the public ip address to point to the new apache web server
  4. Decommission the existing IIS web server
  5. On the centos7 server, obtain new ssl certificate using certbot command (ex.sudo certbot --apache -d
    Or can i renew ssl certificate in advance using certbot renew --force-renewal?

Do I need to get the old ssl certificate from the IIS Web server first? Did i miss something? Thanks

Can i use certbot command instead?

I would recommend to first learn the basics and read documentation before making up commands you don't understand.


Im a bit confuse because i have an existing iis web server using ssl letsencrypt then suddenly will use centos apache web server.

Can i renew ssl certificate on new centos7 server using certbot command? What is the differece between the acme and certbot command is there any advantage and disadvantage using acme?

ACME is the name of the protocol used by Let's Encrypt and thus all ACME clients like Certbot.

Please please please read some basics such as How It Works - Let's Encrypt. That makes discussing your proposal much easier.


Certbot is an ACME client [one of many].

If the CentOS has no cert, then it can't renew one.
It can get a new one [once the IP has been changed to point to it].
As mentioned:

[again: The "ACME client" is in your given case going to be Certbot]


Just want to ask if im using snap install --classic certbot, do i need configure the renewal because i found 2 files in /etc/systemd/system directory - snap.certbot.renew.service and snap.certbot.renew.timer?

What do you mean by "configure the renewal"? If you mean: "does Certbot periodically attempt to renew the certs known to Certbot" then everything should be good to go already, no extra configuration necessary.

However, I'm still not convinced you have a firm grasp of how Let's Encrypt actually works: you do realise Certbot can only renew certs that are actually known to it, right? It cannot magically renew certs that are only known to other ACME clients.


Yes, i have basic knowledge on how it works

What i mean is do i need to configure cron job to automate the renewal of ssl certificates?

Did this statement by Osiris not answer this question?

everything should be good to go already, no extra configuration necessary.


Thanks danb35 and Osiris

1 Like

so it means renewal let's encrypt is automatically scheduled by default if we use snap?

Another method worth mentioning to use DNS validation (which creates a temporary TXT record in your DNS to prove you control the domain) on your CentOS server instead of using http domain validation. That way you don't have to wait for the DNS switchover to the new machine, you can get new your certificate any time even while DNS still points to the old server. This is also good for testing before you go live on the new server (you can point your local machine 'hosts' file at the new IP to test in a browser).

It largely depends on who your DNS provider is, whether they have an API that's supports by a dns plugin etc, but it's a good way to have service portability.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.