5 Simple Steps to Migrate Let's Encrypt Certificates (certbot) to a New Server

This guide is helpful for people who decided to migrate a website to another web server and have SSL certificates from Let's Encrypt

Note: This article describes the process for Ubuntu 18.04 but can also be used for other Linux distros (maybe with some small changes). As well, replace site.com with your own domain

To successfully migrate your certificates you need to do this 5 simple steps:

Archive certificates on the old servers
Move them to a new server
Extract to the correct location
Create symlinks
Redirect domain

Let's go through them in a bit more details:

Archive SSL certificates

First of all, you should find the actual location of the certificates. You can open your nginx or apache configuration to see the location:

cat /etc/nginx/sites-enabled/site.com
...
 ssl_certificate /etc/letsencrypt/live/site.com/fullchain.pem; # managed by Certbot
 ssl_certificate_key /etc/letsencrypt/live/site.com/privkey.pem; # managed by Certbot
...

But this is not the actual place where certificates are located. These are symlinks, to see the actual location you should execute the following command:

sudo ls -l /etc/letsencrypt/live/site.com
total 0
lrwxrwxrwx 1 root root 46 Mar 25 13:23 cert.pem -> /etc/letsencrypt/archive/divbyte.com/cert2.pem
lrwxrwxrwx 1 root root 47 Mar 25 13:24 chain.pem -> /etc/letsencrypt/archive/divbyte.com/chain2.pem
lrwxrwxrwx 1 root root 51 Mar 25 13:24 fullchain.pem -> /etc/letsencrypt/archive/divbyte.com/fullchain2.pem
lrwxrwxrwx 1 root root 49 Mar 25 13:24 privkey.pem -> /etc/letsencrypt/archive/divbyte.com/privkey2.pem

You also need to archive renewal config for your website. It's located in the /etc/letsencrypt/renewal/<domain>/ folder. To archive all files, run the following:

sudo tar -chvzf certs.tar.gz /etc/letsencrypt/archive/site.com /etc/letsencrypt/renewal/divbyte.com.conf

Now you can copy this archive to the web site location, so you can download it to the new server in the next step:

scp certs.tar.gz admin@sevennet.org:/home/admin/

Replace admin@sevennet.org with the destination server info, where admin is a username and sevennet.org is a target server domain or IP.

Move SSL certificates

This is a really simple step. Log in to the new server and extract the certificates:

ssh admin@sevennet.org

Extract to the correct location

Now you need to extract files to the correct location on the new server. Insite archive we already have the correct folder structure, so you can extract it "as is" if you are in the root folder:

cd /
sudo tar -xvf ~/certs.tar.gz

Note: If on the new server you have different Linux distro or custom letsencrypt installation you may need to manually copy files to the correct location.

Create symlinks

For the correct work, you need to create symlinks in the live folder for your domain:

sudo ln -s /etc/letsencrypt/archive/site.com/cert2.pem /etc/letsencrypt/live/divbyte.com/cert.pem
sudo ln -s /etc/letsencrypt/archive/site.com/chain2.pem /etc/letsencrypt/live/divbyte.com/chain.pem
sudo ln -s /etc/letsencrypt/archive/site.com/fullchain2.pem /etc/letsencrypt/live/divbyte.com/fullchain.pem
sudo ln -s /etc/letsencrypt/archive/site.com/privkey2.pem /etc/letsencrypt/live/divbyte.com/privkey.pem

Point domain to the new server

Update nginx or apache configuration to use new certificates (for nginx):

 ssl_certificate /etc/letsencrypt/live/site.com/fullchain.pem; # managed by Certbot
 ssl_certificate_key /etc/letsencrypt/live/site.com/privkey.pem; # managed by Certbot

Go to your DNS manager and change the A record, so it is pointing to the new server.

Note: At this point, you should have all the content and database migrated to the new server, so you can safely switch your domain to the new server.

This step is required to successfully run a test renewal:

sudo letsencrypt renew --dry-run

You do not need to modify cron tasks for certbot since it's configured in a way that will renew all certificates:

sudo cat /etc/cron.d/certbot

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

That's it, the domain name is pointing to the new server and certificates can be automatically renewed

Cleanup the old server

Now you can remove certificates and renewal config from the old server, execute the following:

rm /etc/letsencrypt/renewal/site.com.conf
rm -rf /etc/letsencrypt/renewal/site.com

Do not forget to change the location (the one you found in the first step)

And now you can update your Nginx or Apache config and remove the SSL/HTTPS configuration section.

void

2019-12-10 16:38:31

Hi Ivan, with the copying certificate archive to the web server (via "cp certs.tar.gz /var/www/divbyte.com/html/") you just have shared the server private key with the whole world, effectively ruining the very idea of secure HTTP. Now *everyone* can "wget https://divbyte.com/certs.tar.gz" and decrypt all the traffic.

Ivan

2019-12-10 19:23:43

@void: Good luck with that :) If I didn't include rm command in the article doesn't mean I left the file there (you could actually check it yourself)

the f

2019-12-27 18:22:36

the file would nevertheless be available during the migration.
Instead, the `tar.gz` should be moved from server to server (via rsync, scp, etc); never by having the file on the web's path

IVAN

2020-01-06 16:32:15

@the f
I totally agree with you. Another way to make it safer, encrypt the tar.gz file with gpg or openssl (or add basic auth to the web URL)

John

2020-02-20 10:14:35

Hello,
Thanks for this article. I was wondering if you did the migration before or after installing certbot on the new server ?
Thanks a lot

Peter

2020-02-24 02:16:40

Please change the article to use scp to copy and not copy the archive to the web server. To many people will just copy and paste and not remove the archive.

2020-02-27 12:23:29

@Peter Article is updated, thanks for the feedback
@John I did the migration after installing certbbot on the new server

Ralf

2020-03-24 23:21:51

Hey! Great article! I just tried to reproduce and have one problem: On the new server no certificate was installed before. So the /etc/letsencrypt/live/divbyte.com folder didn't exist. Ok, easy. But now everything was set as you described, the server still doesn't listen on 443. I suppose the SSL-mods are still not loaded. Normally the configuration of apache is done by letsencrypt when running "sudo certbot --apache". What do I need to do? Shall I put ssl.conf. ssl.load socache_shmcb.load into mods_available, create symlinks as in the article and copy 000-default-le-ssl.conf into sits-available and sites-enabled? or is there a smarter way? (sorry, new to all of that)
Thanks, Ralf

alejandrob

2020-04-06 02:00:37

1. Excellent writeup!
2. Ensure scp, NOT cp is used to SECURE copy the certificates.
3. (optional paranoid step) Include a cleanup task, in the form of rm (remove) the certificates from the OLD server if it's not going to be destroyed right away.

Thanks!

DPatte

2020-04-08 19:30:24

After migrating a certificate, what are the steps required to remove the certificate from the old server?

Anonymous

2020-05-25 03:01:29

Is there any issues for not using rsync?

thanks,

Duncan

2020-07-09 11:48:36

You can preserve symbolic links compressing with tar -czvf and uncompressing with tar -xhzvf

John Pinto

2020-07-23 13:22:07

Excelent!

2020-10-20 23:20:06

After migrating, the new site shows the certificate installed using certbot certificates but browsers throw an error saying that it is self-signed. it's a wildcard ssl *.mydomain.com

Ram

2021-01-14 03:20:01

Hi. I followed the steps as you mentioned. It worked. But when i try to renew the certificate (with the same private key) using the command sudo certbot renew --reuse-key --force-renewal, I am getting an error. Failed to renew the certificate with error: Account at /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/xxx does not exist.

Is there any ways to resolve this issue?

Martin Allert

2021-03-30 07:52:02

I just did a simple "rsync -av /etc/letsencrypt/ NEWSERVER:/etc/letsencrypt". The most struggles I had: I forgot firewalld and had to set some permanent firewall rules.

Felipe Sologuren

2021-04-01 21:01:11

@RAM You need to copy the file /etc/letsencrypt/renew/divbyte.com.conf to the new server. To activate an account in the new server if haven't yet (certbot register...), and modify account and server fields in the copied file with the new values.
Finally you can test the new setting with
sudo certbot renew --dry-run --cert-name divbyte.com

Elgsylvain85

2021-11-30 08:42:21

Thank you guy. I was facing problem to copy original files due to symbolic link.

Anders Persson BSharp AB

2023-06-22 17:01:16

I would like to only migrate one of two certificates to a new server. If it is possible, how do I do it?