5 Simple Steps to Migrate Let’s Encrypt Certificates (certbot) to a New Server

By | March 26, 2019

Advertisement from Google

This guide is helpful for people who decided to migrate a website to another web server and have SSL certificates from Let’s Encrypt

letsencryptNote: This article describes the process for Ubuntu 18.04 but can also be used for other Linux distros (maybe with some small changes). As well, replace divbyte.com with your own domain

 

To successfully migrate your certificates you need to do this 5 simple steps:

  • Archive certificates on the old servers
  • Move them to a new server
  • Extract to the correct location
  • Create symlinks
  • Redirect domain

Let’s go through them in a bit more details:

Archive SSL certificates

First of all, you should find the actual location of the certificates. You can open your nginx or apache configuration to see the location:

cat /etc/nginx/sites-enabled/divbyte.com
...
 ssl_certificate /etc/letsencrypt/live/divbyte.com/fullchain.pem; # managed by Certbot
 ssl_certificate_key /etc/letsencrypt/live/divbyte.com/privkey.pem; # managed by Certbot
...

But this is not the actual place where certificates are located. These are symlinks, to see the actual location you should execute the following command:

sudo ls -l /etc/letsencrypt/live/divbyte.com
total 0
lrwxrwxrwx 1 root root 46 Mar 25 13:23 cert.pem -> /etc/letsencrypt/archive/divbyte.com/cert2.pem
lrwxrwxrwx 1 root root 47 Mar 25 13:24 chain.pem -> /etc/letsencrypt/archive/divbyte.com/chain2.pem
lrwxrwxrwx 1 root root 51 Mar 25 13:24 fullchain.pem -> /etc/letsencrypt/archive/divbyte.com/fullchain2.pem
lrwxrwxrwx 1 root root 49 Mar 25 13:24 privkey.pem -> /etc/letsencrypt/archive/divbyte.com/privkey2.pem

You also need to archive renewal config for your website. It’s located in the /etc/letsencrypt/renewal/<domain>/ folder. To archive all files, run the following:

sudo tar -chvzf certs.tar.gz /etc/letsencrypt/archive/divbyte.com /etc/letsencrypt/renewal/divbyte.com.conf

Now you can copy this archive to the web site location, so you can download it to the new server in the next step:

cp certs.tar.gz /var/www/divbyte.com/html/

Move SSL certificates

This is a really simple step. Log in to the new server and download certificates:


Advertisement from Google

ssh sevennet.org
wget https://divbyte.com/certs.tar.gz

Extract to the correct location

Now you need to extract files to the correct location on the new server. Insite archive we already have the correct folder structure, so you can extract it “as is” if you are in the root folder:

cd /
sudo tar -xvf ~/certs.tar.gz

Note: If on the new server you have different Linux distro or custom letsencrypt installation you may need to manually copy files to the correct location.

Create symlinks

For the correct work, you need to create symlinks in the live folder for your domain:

sudo ln -s /etc/letsencrypt/archive/divbyte.com/cert2.pem /etc/letsencrypt/live/divbyte.com/cert.pem
sudo ln -s /etc/letsencrypt/archive/divbyte.com/chain2.pem /etc/letsencrypt/live/divbyte.com/chain.pem
sudo ln -s /etc/letsencrypt/archive/divbyte.com/fullchain2.pem /etc/letsencrypt/live/divbyte.com/fullchain.pem
sudo ln -s /etc/letsencrypt/archive/divbyte.com/privkey2.pem /etc/letsencrypt/live/divbyte.com/privkey.pem

Point domain to the new server

Update nginx or apache configuration to use new certificates (for nginx):

 ssl_certificate /etc/letsencrypt/live/divbyte.com/fullchain.pem; # managed by Certbot
 ssl_certificate_key /etc/letsencrypt/live/divbyte.com/privkey.pem; # managed by Certbot

Go to your DNS manager and change the A record, so it is pointing to the new server.

Note: At this point, you should have all the content and database migrated to the new server, so you can safely switch your domain to the new server.

This step is required to successfully run a test renewal:

sudo letsencrypt renew --dry-run

You do not need to modify cron tasks for certbot since it’s configured in a way that will renew all certificates:

sudo cat /etc/cron.d/certbot

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

That’s it, the domain name is pointing to the new server and certificates can be automatically renewed

Leave a Reply

Your email address will not be published. Required fields are marked *