The operating system my web server runs on is (include version): Linux (Amazon Linux AMI 2017.09.1)
My hosting provider, if applicable, is: AWS
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
Hi:
Migrated site to new server recently, before switching DNS I manually copied the LetsEncrypt certificates (copied the /live and /archive directories only) from source server to target server so there would seamless SSL experience for users during the transition.
Now I want to make sure that Cerbot renews the certificate on the new server when the time comes (how do I check the expiration date, by the way?). I’m a little new to Certbot, what is the best way to proceed here?
I did install cerbot on the new server before the migration and tested it with a subdomain, it worked fine.
That will break the certificates and confuse Certbot, because it also needs the corresponding files in /etc/letsencrypt/renewal in order to know where the certificates to be renewed are (and what method to use to renew them). I would suggest deleting these files and starting from scratch on the new server, unless you have reason to think that you're close to a rate limit.
You can ordinarily check the expiration date by running certbot certificates, among other options. Depending on how you installed Certbot and how you obtained the certificates, it may already be set up to auto-renew them.
I'd second that suggestion; but note that as part of "starting from scratch" you might also want to remove or disable the HTTPS VirtualHosts in your Apache configuration and allow Certbot to recreate them. Just deleting the certificates could prevent Apache from restarting until you replace them, which in turn may prevent Certbot from successfully replacing them, depending on how you run it.
Thanks for the reply. So are you saying delete all the files I copied over in the /live and /archive directories and then run certbot? I guess the site would be without SSL for a minute or two but I could try to do that at a quiet time.
Could I copy over the contents of the /renewal directory from the source server to the target server?
/live is already transferred onto the target server (symlinks intact), so if all I need to do is copy over /renewal and /accounts that might be the most graceful solution.
Can I do a dry run before renewal time to make sure everything is properly configured? What does that look like in command line syntax?
There is a --dry-run option, but for greatest realism—if you’re not close to the rate limits!—you could also choose to do certbot renew --force-renewal (or certbot-auto renew --force-renewal if using certbot-auto) to force an immediate renewal. This does count against your rate limit, but if you have only a single certificate it shouldn’t be a problem to do this once to find out whether it works or not. (All of the rate limits reset completely after a week at most.)
What’s the best way to handle this so it automates going forward? Try just copying the /renewal and /accounts directories and doing a test before the auto renew happens? Pretty sure the person who set this up originally had it renewing on its own volition, and he was the one who suggested doing the file swap for seamless transition during the migration.
I ran certbot certificates and got this: -bash: certbot: command not found
Hmmm. I used certbot to install a certificate on this server previously (using a subdomain). Any suggestions?
I’m in my user’s home directory, which is where I ran certbot originally. I can see that certbot-auto is in that directory. Do I run cerbot-auto certificates instead?
Also noted through my browser that the current cert is good through April, so I have some time to get this set up and tested.