Server re-install and letsencrypt/certbot(-auto)?

We have a letsencrypt cert on a server right now and after Ubuntu 18.04 is released, we plan to do a fresh re-install of the server.

My gut feeling would be for letsencrypt to only keep/transfer the static info (account, maybe private key - which could then be stored along with the server (re-)install scripts instead of having to pluck something out of a (offsite) backup) and not the dynamic info (the 90 day cert), but from searching, my impression is that the only options are to copy the whole /etc/letsencrypt/ directory or to start from scratch with a new cert and new account (seems a bit wasteful to for no reason ditch/zombie a perfectly fine account and make a new one…) .

Is there any supported inbetween to start with for certbot-auto between “no /etc/letsencrypt/ at all” and “the full contents of /etc/letsencrypt/” ?

Something like supplying just the (static)
/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory//.json

or

/etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory//.json
and
/etc/letsencrypt/renewal/*.conf
(though the “version =” in there is of course not static, but a variable, so I’m not sure if that could break something on mismatches…)

or maybe one of the above plus the /etc/letsencrypt/keys/.pem or /etc/letsencrypt/live//privkey.pem symlink and its /etc/letsencrypt/archive/privkey1.pem file. ?

(For simplicity I prefer to create/use the same procedure/scripts/files for a planned server upgrade/re-install as I would for “oops, the server just went up in flames, so now we need to to get a replacement up in as few steps as possible”, so I prefer the server’s DB dump to be the only dynamic content I need to fetch from backup…)

Hi @Marcovl,

Thanks for your question. Currently there's no migration tool or command to move an account over. I believe if you copy the entirety of /etc/letsencrypt/accounts by itself, Certbot will realize that you have an existing account and use it by default for new certificate requests.

The reason that we haven't worried about this issue in our code or documentation is that our colleagues on the server side have assured us that creating a new account isn't very expensive for the server (compared to certificate issuance, for example). For the same reason, the account creation rate limits are pretty high:

You can create a maximum of 10 Accounts per IP Address per 3 hours. You can create a maximum of 500 Accounts per IP Range within an IPv6 /48 per 3 hours.

That won't work. archive and live also need to be copied for renewal to work.

If you go from an older to a newer version of Certbot, it's fine. If you go from a newer one to an older one, it's usually fine.

OK, then starting from scratch with new account and cert and letting the old account gather dust seems to be the least bad of the options for both sides.

A post was split to a new topic: Broken HTTPS connections on DreamHost

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.