Taking backup of certificate and using it again incase of server termination

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version): Both Apache and Nginx

The operating system my web server runs on is (include version): Amazon Linux 2

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 1.11.0

I am able to install certbot certificate and renew it without any issues. I am using link Tutorial: Configure SSL/TLS on Amazon Linux 2 - Amazon Elastic Compute Cloud to install certbot as this is only way. ( please correct me if there is other option).

As per certbot website link (Certbot Instructions | Certbot) , we can get only cert by running "sudo certbot renew --dry-run". I was not able to find instruction to install them.
My question is , in case of instance termination and new instance spins up how can I use old certificate ? What all changes are required to achieve that.
I can take backup of the certificate and use it on new instance .

I am able to install new certificate as part of user data script on new instance but would like to continue using old certificates if there is way. I tried checking the topics but did not find any related.
Help is much appreciated !!

Welcome to the community @subodh

Yes, you will need to have a cert in your instance before starting nginx or Apache. They must have any cert and private key files available at startup.

One idea to consider if you are using an AWS Load Balancer (like ELB) is to use an AWS ACM cert in ELB. This avoids needing a cert in your EC2 instances.

Giving specific advice is hard because of the many ways people design complex systems. In general, the "cert" is just a couple files needed at startup. So, whatever methods you use for other files for "seeding" your instance could be used for the cert files too. Some people use S3 or EFS or similar. In short, some persistent storage accessed on instance startup.

Trying to get a new Let's Encrypt cert from each fresh instance is usually not workable. Only 5 identical certs are allowed per week. Certs also take some time to get and may sometimes fail which is not acceptable for an instance start. You must also consider the time to install certbot unless you have it as part of your instance image.

Here is a thread you might find helpful


Using --dry-run doesn't get a cert.


thanks MikeMcQ. The above information helped lot. I have come up with solution to use same certificate if elastic beanstalk replaces the instance. Currently script works good for Apache proxy . I will work on Nginx and update script by end of the week.
Off the topic , when does certbot decides to renew the certificate if we have cron running daily for auto renew? Is it 10 days or 15 ?

1 Like

Default for certbot is 30 days before expiry. It can be configured but Let's Encrypt recommend that. Gives plenty of time to resolve problems should they occur.

Glad my earlier comments helped.


Thanks a lot :). I was thinking to write logic for checking expiry date and renew it but 30 days is best.
The issue I am facing with nginx is so far , I am not making any nginx configuration changes while installing certbot using ebextension. Whereas for apache I am using below file in .platform/httpd/conf.d/ :

<VirtualHost *:80>
    ServerName domain.com
    DocumentRoot /var/www/html
    ServerAlias www.subdomain.domain.com
    ErrorLog /var/www/error.log
    CustomLog /var/www/requests.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.subdomain.domain.com [OR]
RewriteCond %{SERVER_NAME} =domain.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

So while deploying application on Apache proxy , this changes (manual as old cert is copied from S3) are being deployed using ebextension.

My next steps to reproduction is as :
a. Find changes done by certbot to nginx conf while installing bot
b. Use ebextension in way so that only new instance will be updated using nginx config

1 Like

You mention Apache proxy and nginx.
Are both web servers running in the same server? [based on topic, I think no]
Are both web servers going to need certificate(s)? [based on topic, I think yes]


Hi rg305@,
thanks for getting back. Apologies for confusion.
Both servers are used in different elastic beanstalk environment. I am using ebextension to modify apache config file where as no config file modification is needed for nginx proxy. Will update this thread next week after more testing.
Thanks all for your support.

1 Like

If you can use DNS-01 authentication, then both can have their own set of certs.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.