When creating a new server using existing certs, how can I setup renewal?

Yesterday I used the LE client to issue a certificate for a server. Today, I plan on tearing down the server and rebuilding it (to test my automated deploy process). What do I need to backup/copy from the server to ensure that I can use the client’s renew command on the new server?

Also, I guess slightly related: should I even bother renewing the certificate when I can just have a new one issued?

All relevant files are stored in /etc/letsencrypt by default. Make sure that you’re preserving file system permissions and symlinks when you’re copying that directory (for example with rsync -a).

I suppose that would depend mostly on how often you expect to be doing this. If this is just in case of a restore after you lost a disk or something like that, I probably would just issue new certificates, as this doesn’t happen very often. Note that I’d still very much recommend keeping backups of your private key and account key (both stored in /etc/letsencrypt as well), as you’d need those to revoke your certificate in case of a compromise.

1 Like

I had this exact issue last night! My HDD was/is dying so I built a new server from scratch (my old one was about 5 years old). I reinstalled a clean FreeBSD 10.3 and then had to install all my other software. I’d backed up most of my conf files so getting Apache/Samba/Unbound/ISC-DHCP/etc working wasn’t a big chore. I hadn’t backed up my letsencrypt directory, though.

During a brief moment the old HDD was functioning, I used rsync to copy the entire letsencrypt directory to my new machine. I used the “a” (archive) flag, which also covers the “l” (preserve symbolic links) flag. From the old machine as root, I pushed the directory to my new server as a standard user.

Once transferred, I then recursively chowned the directory back to root, and I that was that! I know I could have just started again, but I enjoyed keeping my original setup and Let’s Encrypt account data :slight_smile:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.