Transfer LE folder onto new server?

Heetered · March 19, 2021, 4:29am

hi all,

Created a new kvm image with a brand new install of ubuntu20LTS with nginx and new IP 192.168.1.19

Still have the original kvm ubuntu18LTS with nginx and 2 domains with LE certs. (192.168.1.18)

Cannot get the fresh install of certbot to get the same 2 domains on the new server.


How would you like to authenticate with the ACME CA?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Plugins selected: Authenticator webroot, Installer None
Please enter in your domain name(s) (comma and/or space separated)  (Enter 'c'
to cancel): sample1.com, sample2.com
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for sample1.com
http-01 challenge for sample2.com
Input the webroot for sample1.com: (Enter 'c' to cancel): /var/www/nextcloud

Select the webroot for sample2.com:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Enter a new webroot
2: /var/www/nextcloud
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Waiting for verification...
Challenge failed for domain sample1.com
Challenge failed for domain sample2.com
http-01 challenge for sample1.com
http-01 challenge for sample2.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: sample1.com
   Type:   connection
   Detail: Fetching
   http://sample1.com/.well-known/acme-challenge/qUORx5pH5BPp3ZWMcAv2jhkWGfiw5eiaqY_mPTzJ854:
   Connection refused

   Domain: sample2.com
   Type:   connection
   Detail: Fetching
   http://sample2.com/.well-known/acme-challenge/BkeW4FJgWKzGksuzjYj1ech2EeiHb9tItah5gC9Srec:
   Connection refused

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.
root@webserv:/etc/letsencrypt/live#

I have redirected the router, opened up 80 443 on the UFW, can't get nginx service to start without these certs

Any help would be greatly appreciated

schoen · March 19, 2021, 8:22am

Hi @Heetered,

The webroot method which you chose assumes that a web server is already running. Did you mean that the web server in question is not running specifically because its configuration contains references to certificates which don't yet exist on this machine? In that case, did you copy over the nginx configuration files from the old server to the new server without also copying the certificates that they referred to?

Heetered · March 19, 2021, 1:19pm

Hi schoen

Yes correct, nginx fails to start because of missing certs

Yes copied the nginx config folder

Should I copy over the /etc/letsencrypt/live folder?

Would that work?

schoen · March 19, 2021, 7:17pm

Hi @Heetered,

The issue here is that if you want your nginx configuration to be copied directly, there is a chicken-and-egg problem:

Certbot needs nginx to run in order to obtain a certificate using the webroot method.

But nginx (with the copied-over configuration) needs a certificate to exist on disk in order to start up, because the nginx configuration references that certificate as already existing.

Two plausible approaches would be:

(1) You could remove the nginx server blocks on the new server that refer to HTTPS and then use Certbot to create your certificates. (If you use certbot --nginx, it may even be able to recreate the relevant definitions for you, based on your HTTP server blocks.)

(2) You could copy all of /etc/letsencrypt over to the new server, using a method that preserves symbolic links (for example, rsync -a). In that case, nginx will work right away and certificate renewals should also work on the new server.

Copying just a portion of /etc/letsencrypt could certainly allow nginx to start up properly, but would cause Certbot to become confused in the future for renewal attempts, because it would find that its configuration under /etc/letsencrypt had become corrupted (because some necessary files would be missing).

Heetered · March 20, 2021, 2:01am

Thank you Schoen,

That was a great help. I moved the whole /etc/letsencrypt over, nginx service started up, and then I was able to update certbot after that.

I must admit that I didn't realize that certbot needed nginx service to be running for certbot to function. Now thinking about it, I should have known,

schoen · March 20, 2021, 2:55am

It doesn't always; if you use certbot --standalone then it instead needs the nginx service not to be running. But other modes generally use the existing web server as part of the validation process.

system · April 19, 2021, 2:55am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.