Seting up certificate on failover (backup) server

Hi. I have a main server with lefts encript certificates. We bave a failover backup server. If I need to switch to it do I just cooy files (whitch) or should I do something else.

I’m assuming you’re using Certbot. In order to just get the other one working, copying the cert and key is all you need. (This is true regardless of client.) Copying the full directory structure is not really supported right now because there are just so many things that can go wrong with the symlinks and whatnot that Certbot uses. If you need to run off the backup system for any appreciable length of time, it would be best to just issue a new certificate for that box by starting Certbot from scratch.

Once I get my test server re-colo’d (probably next week) I should really take a look at proper ways to rsync the Certbot directories…

Yes I am using Certbot but how do I find the directories. Dont know mutch about certificates.

Be great ot here from you when you work out a ‘proper’ solition, sure it would be usefull to others.


It should work fine to copy all of /etc/letsencrypt over as long as you preserve symlinks. rsync -a does this properly.

It’s just not a great idea to run certbot renew on many different machines with copies of the same certificate lineages at the same time, because they will renew independently and get out of sync with each other, and also have a higher likelihood of putting the rate limits at risk unnecessarily:

Other than that, there shouldn’t really be a problem.

1 Like

Certbot stores your certificate data in /etc/letsencrypt, and in particular you can make static copies out of /etc/letsencrypt/live/ if you want the certificate, private key, and chain. (For most server software, you’ll want privkey.pem and fullchain.pem.) Note that these are static copies, so you’ll also want to have a plan about renewal and making fresh copies after the certificate is renewed.

With a privkey.pem and fullchain.pem copied onto another system, that system can also be set up to respond for that domain name with HTTPS, by pointing whatever your server software is at those PEM files.

The distinction between copying all of /etc/letsencrypt (with symlinks) and just copying privkey.pem and fullchain.pem is that in the former case, you can run certbot renew on the new system to renew the certificates, while in the latter case Certbot will not be able to renew the copied-over certificates. So it’s not a distinction about whether the certificates will work on the new system (just copying these two files is sufficient for that), but specifically about whether certbot renew on the new system will know they’re present and be able to renew them (copying the whole /etc/letsencrypt tree is recommended in this case).

OK, so after installing Certbot

rsync -a backupserver:/etc/letsencrypt/. /etc/letsencrypt/.

And I can ever rerun Certbot to renew whan needed?


I think you might want that copy to go in the other direction (from the production server to the backup server).

In this case you should be able to run certbot renew on either machine, but you should probably not run it regularly on both of them (due to rate limits), and you should not repeat the rsync command after certbot renew has been run on the backup server.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.