Why certs continue to work on my sites if the whole letsencrypt folder was deleted?


#1

I issued my certs using Certbot for nginx on ubuntu 16, but then i had to switch servers. At first i thought, gee i´ll just copy the whole let`s encrypt folder to the new server and then install certbot there to (both servers were identical using nginx and Ubuntu 16).

The certs were working fine on the new server but then i realized when i tried to issue a new cert let’s encrypt threw some errors on a blue screen stating that some of the renewal conf. files within the renewal folder were broken. (whatever that means, i guess it has something to do with symlinks???).

I thought maybe the answer was to delete everything and re-issue the certs again. (given it’s so easy with certbot). So i made a snapshot of my server and deleted the whole letsencrypt folder. But then something weird happen. The certs are supposed to live within that folder so while the folder was deleted i visited my websites, to see if a red flag was thrown by my browser but everything was working fine. (why is that?)

Right now im just re-issuing the certs using Certbot (cause i deleted the letsencrypt folder) but i don’t understand why my websites were working (i deleted my cache and visited on different browsers) while the folder was gone (before i re-issued the certs).

Im thinking maybe the certs are loaded with nginx? So even if i deleted the folder nginx was never re-loaded.

Anyone could confirm or explain to me this behaviour please?


#2

The certificates and keys are loaded into memory when you start nginx. If you attempt to restart nginx while the files are gone, nginx will fail to start.

For future server migrations, I’d recommend using rsync -a to copy everything in /etc/letsencrypt to the new server. This will preserve permissions and symlinks.


#3

Yes, i did sudo nginx -t and reported a error from the first vhost on the list cause it did not find the cert. Thanks!


#4

And thanks for the rsync tip, i will look into that


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.