Retrieving already-created wildcard cert on a different server

Hi all,

On one server, I successfully used ‘certbot certonly’ to create a wildcard certificate. It works. Now on a different server, I want to download that same wildcard cert. How do I do that? Despite reading the docs, I don’t see any command to give certbot my email and have it download the cert.

Thanks,

Sean

Hi,

Lets Encrypt doesn’t store your certificate information, so there would be no option to do this.

You can either copy the certificate and private key from previous server or issue another certificate for this server (which is suggested since it would avoid private key compromise, but it will trigger rate limit)

Thank you

Hi @seanm,

Your certificate is a text file which is publicly available, for example you can look it up in a service like crt.sh or you can save it from your web browser when visiting the site.

Your certificate can’t be used by a server to identify itself unless the server also possesses the corresponding private key. That’s why I, for example, can’t just save the certificate from www.google.com and install it onto my own web server and then convince people that I’m Google!

If you want to use the certificate on a separate site, you’ll have to copy the private key, chain (intermediate) certificate, and certificate from the original server onto the new server. These files are found under /etc/letsencrypt if you used Certbot. You can copy them by using rsync, for example.

Certbot on the new server wouldn’t be able to do this for you on its own, because there’s no way that it can access or obtain the private key!

A difficulty with this is that when the certificate is replaced with a new version (prior to its expiry), the new files also need to be copied onto every server that’s going to use them. To help automate this, we’ve provided a feature in Certbot called --deploy-hook which lets you specify a script or command of your choice to run that copies the new certificates to wherever they need to be copied (e.g., onto any other servers that use the same certificate and key).

Thanks both for your super fast replies!

hmm, sounds like I’m “doing it wrong” then, i.e. trying to use the same wildcard cert on different servers. I thought that would be easier. I guess there’s no harm in different certs on different servers.

IMHO, using different private keys on each server is safer than trying to share one key/cert combo.
Even when using wildcards, each server should always have its’ own cert.

EDIT: There are of course situations where servers benefit from sharing the same key/cert (like load-balanced members) and additional certs either cost additional money or when free they come with limits.

It’s not unusual to share private keys across multiple servers (and this is a big part of why --deploy-hook exists) but I agree that it also represents a source of security risk because it makes it easier for a compromise of one server to affect another server. I would use weaker language than you did and say something like “if possible, using different certificates on different servers provides a security benefit in some scenarios”.

In some cases there’s also a tradeoff with the Let’s Encrypt rate limits, like if there are more than 5 servers responding for a given name in a load-balancing configuration.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.