Using Certbot on One Server to Generate Certificates for Another

Hi there,
I have finally managed to install certbot on one of my raspberry pi’s and successfully got a certificate by running the following command:

sudo certbot --apache

The DNS service I am using is duckdns.org.

So far so good.

Now I would like to transfer the same certificate to another raspberry pi still running apache but on a different port.
So I have installed certbot on my second raspberry pi, copied the 4 files located in /etc/letsencrypt/live/server.duckdns.org which are cert.pem, privkey.pem, chain.pem, and fullchain.pem from the first raspberry pi to the second raspberry pi and I have run the following:

sudo certbot install --apache --cert-path <cert_path> --key-path <key_path> --chain-path <chain_path> --fullchain-path <fullchain_path>

And this what I get soon after:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?

1: server.duckdns.org

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel):1
Deploying Certificate to VirtualHost /etc/apache2/sites-available/000-default-le-ssl.conf

Please choose whether HTTPS access is required or optional.

1: Easy - Allow both HTTP and HTTPS access to these sites
2: Secure - Make all requests redirect to secure HTTPS access

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Enhancement redirect was already set.

And nothing else happened.

I would appreciated if someone could shed some light as I can’t get my head around.

Many thanks!

EDIT:

I have tried to run the same command but without ‘install’:

sudo certbot --apache --cert-path <cert_path> --key-path <key_path> --chain-path <chain_path> --fullchain-path <fullchain_path>

and this is what I am now getting:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?

1: server.duckdns.org

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel):1
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for server.duckdns.org
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. server.duckdns.org (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 15dba428c0f4b7f2af07a65ebe2ba3c3.d20a1b9bb534e3c2417c13c2ce0d74b9.acme.invalid from xx.yy.zz.aa:443. Received 2 certificate(s), first certificate had names “server.duckdns.org”

IMPORTANT NOTES:

• The following errors were reported by the server:

  Domain: server.duckdns.org
  Type: unauthorized
  Detail: Incorrect validation certificate for tls-sni-01 challenge.
  Requested
  15dba428c0f4b7f2af07a65ebe2ba3c3.d20a1b9bb534e3c2417c13c2ce0d74b9.acme.invalid
  from 80.42.113.25:443. Received 2 certificate(s), first certificate
  had names “server.duckdns.org”

  To fix these errors, please make sure that your domain name was
  entered correctly and the DNS A record(s) for that domain
  contain(s) the right IP address.

Hi @harlock74,

I don’t think there is currently a documented, supported way to do exactly what you’re trying to do with Certbot (that is, “install only” when the certificates were not created on the local machine).

The option that I think you’re looking for is --reinstall, but it’s normally assuming that it’s reinstalling a certificate that was created on the same machine. If you want to copy certificates from one machine to another and have the target machine use Certbot to deal with them, I would highly recommend using rsync with a method like -a to preserve symbolic links, and copy the entirety of /etc/letsencrypt. If you do this, there’s some likelihood that --reinstall can work to install the certificate in Apache on the target machine.

Without the entirety of /etc/letsencrypt/renewal, /etc/letsencrypt/live, and /etc/letsencrypt/archive, including their symlink structure, Certbot is likely to be confused and regard its certificate storage as corrupted in various ways.

Hi schoen,
Many thanks for coming back to me.
Are you suggesting to copy /etc/letsencrypt/renewal, /etc/letsencrypt/live, and /etc/letsencrypt/archive from the first server to the second server and then running on the second server:

sudo certbot --reinstall --apache

or

sudo certbot --reinstall --apache --cert-path --key-path --chain-path --fullchain-path

Thanks a lot!

Hi @harlock74,

I would suggest copying all of those directories and then I think running something like

sudo certbot -i apache --reinstall --cert-name your-cert-name

I don’t think the --cert-path stuff makes sense here because they expect you to specify a particular path, not just mention the name of the option.

Hi,
Great, I will try that. Can you please let me know where I can get my-cert-name from?
Thanks.

You can find it by running certbot certificates (it’s also the part before the .conf in /etc/letsencrypt/renewal, and is normally the same as one of the domain names in the certificate).

Perfect, I will try that and report back to you!

Hi schoen,
I have tried several time with rsync. However I have got many ‘operation not permitted’ error messages. I have also tried with sudo -s before using rsync -a.
Any other suggestions please?

EDIT:
I have managed to transfer all the files and successfully installed certbot on the second raspberry pi. However when I connect to my own web page I don’t see the small lock icon that confirms that it is a secure connection. I guess I am getting there though:)

Is there a way to remove the certificate/certbot from the first raspberry pi and re-install everything from scratch on the second raspberry pi?

Thanks!

Are you accessing it via an HTTP URL or HTTPS URL? Did you try a certbot --reinstall command of some sort after copying the files?

I think a lot of people have had the intuition that they can only have one certificate active at a time. But there is no such restriction. I've written about this issue in a number of threads:

https://community.letsencrypt.org/search?q=overlapping%20validity

I have tried with both but to no avail. Yes, after rsyncing all the directories in /etc/letsencrypt/ I have run the following:

sudo certbot -i apache --reinstall --cert-name your-cert-name

Thanks.

Thanks I will have a read through. What it is really frustrating me is that someone else wanted to do the same thing and managed to achieve it. Please refer to:

https://github.com/certbot/certbot/issues/2005

Thanks.

I think this

differs from your situation.
In that, you are expecting to continue using both PIs and on the same IP (presumably) - just on different ports.
If that is the case, I’m not sure you will ever be able to renew them both (via http nor https).
You may however renew one via http and the other (or both) via DNS authentication.
Not sure how copying the folders from PI1 to PI2 and reapplying them may workout in the PI world.

It’s working!!! Success!!! I just need to replicate it now.

hi @harlock74

I think having 2x certbot instances is overkill personally

I am assuming you have 2x raspberry pi which I will call RPI1 and RPI2

RPI1 - obtains the certificates and stores them in the usual certbot path

On completion of a certificate install run a script which copies it to RPI2 and updates the apache configs.

You will need to restart apache on RPI2 as well

Seems easier than managing two instance of certbot

Usually in these kind of scenarios I like to have one dedicated server as the certificate server and scripts to do the installing on other servers

Andrei

Hi @ahaw021,
Many thanks for your notes.
This is exactly what I would like to achieve.
Can you please let me know how to do the following:

“On completion of a certificate install run a script which copies it to RPI2 and updates the apache configs.”

Reason being I did not quite understand the instructions as per your link to the User guide.

Many thanks.

Certbot currently does not contain any code to accomplish this task. @ahaw021 is probably envisioning that you will build it yourself using Unix shell scripting.

At last! It’s working like a charm using certbot on both my RPi’s!
I will do a write-up and share it here…hopefully I will not forget what I just did…lol…

Note that this is one of the use cases that I built https://github.com/plinss/acmebot/ for, having one computer handle authorizations and/or certificates while another just gets certificates using the prior authorizations. The documentation explains how to set up a master/slave pair.

After trying different methods with both certbot and letsencypt, the most reliable solution that I have managed to reproduce everytime and without getting any error messages, is as per below instructions:

After creating a certificate with letsencrypt on your first RPi:
1.Locate the folder where your certificate is being stored. This should be in /etc/letsencrypt/live/<your_domain> by default.

2.You should see 4 files: cert.pem, privkey.pem, chain.pem, and fullchain.pem. Copy these files to your second RPi. As recommend you have to rsync with a method like -a to preserve symbolic links, and then copy the entirety of /etc/letsencrypt. Alternatively you can create an archive with tar, again to preserve all the relevantsymbolic links.

3.Install letsencrypt on your second RPi:
git clone https://github.com/letsencrypt/letsencrypt

4.Then:
cd letsencrypt

5.Then run the command to re-install your certificate:
./letsencrypt-auto install --apache --cert-path <cert_path> --key-path <key_path> --chain-path <chain_path> --fullchain-path <fullchain_path>

6.Make sure you change the ssl port on your second RPi by editing:

sudo nano /etc/apache2/ports.conf
sudo nano /etc/apache2/sites-available/default-ssl.conf
sudo nano /etc/apache2/sites-available/000-default-le-ssl.conf
sudo service apache2 restart
sudo systemctl daemon-reload

7.Portforward the new ssl port from your router.