How to reuse a Let’s Encrypt certificate on a new server.
A couple weeks ago my cloud hosting provider informed me that one of my instances will be no longer maintained and shut down within the next months. Sadly I was not able to migrate the server to a new hardware node, so I created a new instance and moved all my stuff to the new machine. Within this task I also moved my Let’s Encrypt SSL certificates to the new machine. This article is about how to do this and what you have to keep in mind during that process.
Step 0: Prepare the new machine
To ensure that everything works as expected on the new machine, some things have to be prepared. In my case I already installed certbot and the apache webserver which were also available on the old server. Further I copied the V-Host files to the new machine so that the webserver can locate the used SSL certificates instantly.
In general you should prepare the new server according to the old one, otherwise it might happen that the transfer does not work. E.g. If you switch the webserver from apache to nginx this tutorial will definitely not work.
Step 1: Locate the necessary files
To locate your certificates take a look into your SSL V-Host configuration at the bottom of the file you will find the entries for the certificate.
In my case the certificates where located in:
$> /etc/letsencrypt/live/patrick-blom.de/
Further there is also an options file called options-ssl-apache.conf which also have to be kept during the transfer.
Step 2: Transfer the files to the new machine
After the position of the files is known we can start transferring them to the new Server. As you can see on the screenshot the live certificates are linked to the archive directory at the root of the Let’s Encrypt folder. Further more there is also an entry inside the renewal folder, so we also have to keep it.
So we have to transfer the following files and folders:
- archive
- live
- renewal
- options-ssl-apache.conf
The simplest way to transfer all the files and links is to wrap everything into a tarbal and copy it to new machine using scp. Here is an example how you could do that.
$> sudo tar -czvf backpup.tar.gz archive/ live/ renewal/ options-ssl-apache.conf && scp backup.tar.gz [your-user]@[your-srever-ip]:/my/new/letsenrcypt/path
Step 3: Reuse the transferred files on the new machine
If the files were transferred to the new server, we can extrac them from the tarball and move them to the new Let’s Encrypt folder.
$> sudo tar -xzvf backup.tar.gz
$> sudo mv archive/ live/ renewal/ options-ssl-apache.conf / etc/letsencrypt/
Step 4: Test the config and the cert renewal
If everything is in place you can restart the apache webserver. The certificate should be loaded and functional.
$> sudo systemctl restart apache2.service
To test the renewal process, first run the follwoing command to create an account and accept the terms of condition. If you hitting the setup process, just quit certbot using CTRL-C.
$> sudo cerbot
You’re now ready to test the renewal. Just type in:
$> sudo certbot renew --dry-run
and you’re done! You have successfully transferred a Let’s Encrypt SSL certificate to a new server.
— Update —
You might run in the issue that the automatical renewal will fail after the transfer. This happens beause you created a new account Id in “Step 4”.
To fix the issue simply update the account id in your renewal files in ‘/etc/letsencrypt/renewal/your-domain.conf’. You can grab the new account id from the foldername located in ‘/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/’