Using certificate/key in another server - Renewal question

Hi people, I have generated a Let's Encrypt key and certificate in one server with public IP#1 and now I'm using them in a different server with public IP#2, so I'm a bit confused to renew the certificate.

My domain is:

customerservices.com.ar

I ran this command as root in a Debian 10.5 server, using DNS challenge:

certbot certonly --manual --preferred-challenge=dns --email hostmaster@xxxxx.com.ar --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.customerservice.com.ar

In the Debian 10.5, I have certbot 0.31.0.

It produced this output:

/etc/letsencrypt/live/customerservice.com.ar/
cert.pem
chain.pem
fullchain.pem
privkey.pem

I move the fullchain.pem and privkey.pem to a different server (Ubunbtu 18.04) in order to use there the key and certificate (I have root access here to). So I use the key and certificate in a different server from which I've generated them.

Please my questions are:

What I need to have in the Ubuntu 18.04 server in order to renew the certificate before expiration ??? Can I have certbot package with different version to run the renewal ??? Do I have to copy the exact structure below /etc/letsencrypt/ path from the server I've generated the key and certificate (Debian 10.5) to the server where key and certificate will be installed (Ubuntu 18.04)?

Thanks a lot in advance!!!

1 Like

A renewal is just a name given to a brand new certificate but with the same set of hostnames as a previously issued certificate. So it's more an artificial definition, mostly to be able to define rate limits and exempt the renewals from some.

So "just get a new certificate with the same hostnames" could be an answer to your question.

Sure, see my answer above.

That is certainly a possibility. If you'd do that (preserving ownership, permissions, symbolic links et cetera), you could do exaxctly the same as you did before.

However, question for you: you're using the manual plugin without any manual auth hooks, so you need to manually renew anyway. How did you renew previously on your Debian system?

1 Like

Dear Osiris, thanks for your response.

I've never renewed my certificate yet, but I think I'm going to copy the original /etc/letsencrypt structure from original to my new Ubuntu machine and in this server I will use the cron service to run this command every day:

certbot renew

Do you think it's ok ???

Regards !!!

1 Like

certbot renew doesn't work with the manual plugin, as it requires manual handeling of the challenges. To use certbot renew and automatically renew your certificate, you should automate the adding and removing of TXT records in your DNS zone in stead of doing that manually.

Also note: with the command you've given in your first post, you only specified the wildcard hostname for your certificate. Such a certificate isn't valid for the apex domain name customerservice.com.ar, but only for subdomains thereof. You should add -d customerservice.com.ar to the command.

1 Like

Dear Osiris, I understand, thanks for your comments.

I've used the command I mentioned to generate my certificate:

# certbot certonly --manual --preferred-challenge=dns --email pnet-infra@provincianet.com.ar --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.customerservice.com.ar

So is there any possible way to automatically renew my certificate? Or do I have to generate the certificate again in a different way in order to use the cron service in the future to renew it?

Thanks a lot again!

1 Like

Not without a script to add and remove TXT records in your DNS zone. For every (typical) renewal, you'll need to add new challenge TXT records and certbot can't do that for you without the proper script (or DNS plugin, if applicable).

If your DNS is provided by one of the DNS providers for which certbot has a DNS plugin, you could use such a plugin to automate the adding (and removing) of the required TXT records.
If that's not an option, you'd require a script to do the adding (and removing) of TXT records to your DNS zone.
If you don't have such a script or you don't know how to write one, you're left with manually adding and removing the TXT records and that can't be done through cron.

All of this is only necessary because of your wildcard certificate. If you don't actually require a wildcard certificate, things are a lot simpler.

1 Like

Thanks a lot for your support !!!

1 Like