4

I have an ubuntu server running through Digital Ocean that has an SSH certificate that I got through LetsEncrypt.

I'm trying to switch to a cheaper service, and I need to move the cert to my new server. How can I do this?

It looks like I can revoke the certificate on my current DO server. Can I then make a new one on my new server without any problems?

Kecoey
  • 143
  • 1
  • 4
  • 4
    You can transfer the cert/key files, but with Let's Encrypt there's no downside and it's generally better/easier to just create a new one. Make the new one *first* so there's no interruption. The short 90 day window also means you don't even *really* have to revoke the old one in many cases. – ceejayoz Mar 13 '17 at 16:31
  • 2
    There is one important reason *not* to make the new one first: this will require the DNS entry to be changed already. The DNS change is a lenghty operation which can take an hour or day, depending on the cache lifetime. – Tobias Aug 01 '17 at 11:35

6 Answers6

9

Supposing you are using the certbot tool to manage your Let's Encrypt certificates, which most people do, it is sufficient to copy the entire /etc/letsencrypt directory from one server to another. All of your certificates, as well as certbot configuration, are in there. So you can continue on the new server exactly as you were before.

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
  • 8
    If the new server contains other certificates already, it would be nice to have list of files which are really needed (and perhaps need to be renamed after copying?) – Tobias Aug 01 '17 at 11:37
7

I'm not a big fan of the suggestion that you move your entire /etc/letsencrypt directory from one server to another. It assumes you're only hosting one site. I've also tried copying the specific files within /etc/letsencrypt to the new server, but that's fiddly and error-prone. So here's my alternative suggestion which doesn't require any manual tinkering with /etc/letsencrypt has avoids any downtime.

  1. Copy the site files, data etc to your new server
  2. On the new server, create a directory for temporary certificates/keys, I think 'migration' is a suitable name, eg /etc/pki/tls/migration
  3. Create a file name-of-site-fullchain.pem in your migration directory, and copy and paste the contents of your certificate file on the old server from /etc/letsencrypt/live/name.of.site/fullchain.pem into it. Do the same for the key. Create name-of-site-privkey.pem in your migrations directory and copy/paste from /etc/letsencrypt/live/name.of.site/privkey.pem. You probably need to set 600 permissions on the key file too.
  4. Configure your webserver software on the new server to use the cert/key in the migrations directory.
  5. Update your DNS records. While they propagate, some users get the old server, some get the new, but both work fine because they have the same, valid, SSL cert.
  6. Next day, when the DNS has propagated, you'll be able to run certbot on your new server to get an updated cert, which you can renew at any time.
  7. Alter your webserver configuration on the new server to use the new letsencrypt cert.
  8. Delete the cert/key in the migration directory which are no longer needed.
  9. Delete the website and the cert on your old server.
Daniel Howard
  • 275
  • 4
  • 10
  • Works. Thanks for the tip. I have multi certs (10+) on my server and copying /etc/letsencrypt just does not make sense for one domain. – hrvoj3e Oct 17 '18 at 08:09
  • One thing to look out for. Folder `**/live/**` contains only symlinks to `**/archive/**` which has versioned files and is only visible and accessible by root. – hrvoj3e Oct 17 '18 at 08:17
  • 1
    Works for me. Just to confirm "6" above is entirely seamless and can be run immediately. If there was an "old" letsencrypt certificate in letsencrypt's certificate directories in can be removed with "certbot delete --cert-name mywebsite.com" so that the renewal will only try and renew the current one. – SomeoneElse Oct 23 '18 at 15:11
  • I agree with this procedure. Especially when certbot on the new server is a higher version than certbot on the old server, there's no guarantee that copying certificates and configuration will work. It's best to get a new cert on the new server, and this procedure ensures there's no downtime or SSL-less time during DNS propagation. – René Pijl Aug 26 '20 at 18:26
3

What you should do here is copy over the /etc/letsencrypt/archive, /etc/letsencrypt/live, and /etc/letsencrypt/renewal directories, taking care to preserve the symlinks in /etc/letsencrypt/live during copying.

The files in the /etc/letsencrypt/csr and /etc/letsencrypt/keys are simply named ####_csr-certbot.pem and ####_key-certbot.pem respectively, where #### is an increasing counter. This will create a conflict when trying to merge the files with another /etc/letsencrypt directory.

I wouldn’t worry about copying the other files into /etc/letsencrypt on the other server. You might want to make a backup of the files somewhere, but you won’t need them to move the site to the other server. If you’re curious, the other files in /etc/letsencrypt are:

  1. /etc/letsencrypt/accounts contains ACME registration information. Certbot currently doesn’t have great support for multiple ACME accounts and for the protocol as is, it doesn’t matter. This is something you should at the very least keep a backup of though.

  2. /etc/letsencrypt/csr contains the CSR we used to get your cert.

  3. /etc/letsencrypt/keys contains the private key we generated for your new certificate. Another copy of this is also found in /etc/letsencrypt/archive which you should copy over.

Anoop Naik
  • 133
  • 3
2

Some of this has already been said, but just to give one complete answer. I have started to use some LE certs on public services. Options for moving are almost unrestricted, more dependent on what project you are using to request the certs. Once you get the cert, you can export the key and cert to a file for moving to any serve you like. You should not need to revoke anything to get a new cert. With the short lifespan of LE certs (3 months) and free cost, they are being treated as disposable by most that I find.

I have used the ACMEsharp by eBekker project to build a powershell script to automate getting a new cert. This is what I have so far. It currently must run on the web server.

https://github.com/ebekker/ACMESharp

## This requires the ACMESharp module from EBekker
#Import-Module AcmeSharp

$dns = "www.example.com"
$webRoot = "C:\inetpub\wwwroot"

$idRef = "$($dns.Replace('.','-'))-$(Get-Date -Format "yyyy-MM-dd_HH-mm")"
$certRef = "cert-$($dns.Replace('.','-'))-$(Get-Date -Format "yyyy-MM-dd")"

Import-Module AcmeSharp
Write-Host "Getting a new challenge"
New-ACMEIdentifier -Dns $dns -Alias $idRef | Out-Null
$challanges = Complete-ACMEChallenge -IdentifierRef $idRef -ChallengeType http-01 -Handler manual
$httpChallenge = ($challanges.Challenges | Where-Object {$_.Type -like 'http-01'}).Challenge

Write-Host "Creating challenge folder path"
New-Item -ItemType Directory -Path "$webRoot\$($httpChallenge.FilePath)" | Out-Null

$challengeFilePath = "$webRoot\$($httpChallenge.FilePath)\Default.htm"

if (Test-Path -Path $challengeFilePath) {
    Remove-Item -Path $challengeFilePath -Force
}

Write-Host "Adding Challenge text to the reuqested path"
Add-Content -Path $challengeFilePath -Value $httpChallenge.FileContent -Force | Out-Null

Write-Host "Waitin 15 sec..."
Start-Sleep -Seconds 15

Write-Host "Submitting Challenge"
Submit-ACMEChallenge -IdentifierRef $idRef -ChallengeType http-01 -Force | Out-Null

Write-Host "Waiting 15 sec..."
Start-Sleep -Seconds 15

$id = Update-ACMEIdentifier -IdentifierRef $idRef

if ($id.Status -eq "pending") {
    Write-Host "Challenge still pending, waiting 30 sec and retrying"
    Start-Sleep -Seconds 30
    Update-ACMEIdentifier -IdentifierRef $idRef
}

if ($id.Status -ne "valid") {
    throw "Identifier could not be validated."
}
else {
    Write-Host "Challenge appears completed. Building cert"
    New-ACMECertificate -IdentifierRef $idRef -Alias $certRef -Generate | Out-Null
    Submit-ACMECertificate -CertificateRef $certRef | Out-Null
    Start-Sleep -Seconds 15
    Update-ACMECertificate -CertificateRef $certRef

    Get-ACMECertificate -CertificateRef $certRef -ExportKeyPEM C:\SSL\$dns.key.pem -ExportCertificatePEM C:\SSL\$dns.crt.pem -ExportPkcs12 C:\SSL\$dns.pfx 

    #Install Cert 
    #Install-ACMECertificateToIIS -Certificate $certRef
}
Cory Knutson
  • 1,866
  • 12
  • 20
  • Thanks! I had actually tried making a new cert, but it would give me a bad certificate error when loading the page. Turns out all I had to do was restart Nginx. – Kecoey Mar 15 '17 at 16:45
0
  1. Archive certificates on the old servers
  2. Move them to a new server
  3. Extract to the correct location
  4. Create symlinks
  5. Redirect domain
  6. Dry run to verify certs on the new server.

Based on this article: https://druss.co/2019/03/migrate-letsencrypt-certificates-certbot-to-new-server/

druss
  • 141
  • 2
-1

The only constaint with letsencrypt is to prouve that you are the ouner of the site or server, after that you need to: - You will have to point your dns to the new server. - Test the cert in the new server

M. BY
  • 21
  • 1
  • 4
  • 3
    Don't even have to point the DNS first. You can use the manual auth flow and put the proof file on the old server, or you can use the DNS-based challenge method. – ceejayoz Mar 13 '17 at 16:34