3

I have a server out there that supports HTTPS using a certbot/letsencrypt certificate.

I am doing a general software upgrade so to minimize risks and downtime, I'm installing new releases on a new server on which I import the live server data for tests. When everything works I'll have the DNS record changed to point to the new server.

My question is what should I do for the certificate? Can I just copy over the existing one and let it get renewed when necessary? Or will the certificate be incompatible and/or LE will complain that the address has changed during the auto-renewal process? Will LE be sensitive to reverse DNS (it may take some more delay for the reverse DNS to work). Is there any other problem I didn't think about?

xenoid
  • 353
  • 1
  • 3
  • 10
  • Note that forgetting to update the DNS record to the new IP would lead to `SSL_ERROR_BAD_CERT_DOMAIN` errors when trying to reuse existing certificate on the new machine (and all services using your domain would still point to the old machine). – mirekphd Oct 16 '22 at 09:15

2 Answers2

9

By default, Certbot/Letsencrypt stores their configuration files and generated certificates in /etc/letsencrypt. So you just need to install Certbot into the new server and copy the directory from the old one. Of course you're gonna have to configure the webserver (Apache, Nginx, whatever you're using), pointing to the certificates in the new server.

Stefano Martins
  • 1,221
  • 8
  • 10
  • 2
    To add to this, moving the `/etc/letsencrypt` directory moves the private keys and the validation config as well, so `certbot renew` will "just work". I did just that a week ago, so the memory is still fresh. – Zalán Meggyesi Jan 13 '20 at 19:58
2

You can copy the certificate across it will work. Maybe configure the current server as reverse proxy to the other server and you'll be sorted until you make the final move. I hope I could help :)

Nuno Leitao
  • 21
  • 2
  • 1
    A couple more files is worth preserving, namely: 1. the account URL and private key (which sit in `/etc/letsencrypt/account`), if you lose them there is no way to administer your existing certificates, though requesting a new certificate for the same domain name might automatically revoke the old one 2. the renewal parameters in `/etc/letsencrypt/renewal`, although if you lose them, you can recreate them. – Piotr P. Karwasz Jan 13 '20 at 20:20