I have an ubuntu server running through Digital Ocean that has an SSH certificate that I got through LetsEncrypt.
I'm trying to switch to a cheaper service, and I need to move the cert to my new server. How can I do this?
It looks like I can revoke the certificate on my current DO server. Can I then make a new one on my new server without any problems?
Supposing you are using the certbot tool to manage your Let's Encrypt certificates, which most people do, it is sufficient to copy the entire /etc/letsencrypt directory from one server to another. All of your certificates, as well as certbot configuration, are in there. So you can continue on the new server exactly as you were before.
I'm not a big fan of the suggestion that you move your entire /etc/letsencrypt directory from one server to another. It assumes you're only hosting one site. I've also tried copying the specific files within /etc/letsencrypt to the new server, but that's fiddly and error-prone. So here's my alternative suggestion which doesn't require any manual tinkering with /etc/letsencrypt has avoids any downtime.
/etc/pki/tls/migrationname-of-site-fullchain.pem in your migration directory, and copy and paste the contents of your certificate file on the old server from /etc/letsencrypt/live/name.of.site/fullchain.pem into it. Do the same for the key. Create name-of-site-privkey.pem in your migrations directory and copy/paste from /etc/letsencrypt/live/name.of.site/privkey.pem. You probably need to set 600 permissions on the key file too.
What you should do here is copy over the /etc/letsencrypt/archive, /etc/letsencrypt/live, and /etc/letsencrypt/renewal directories, taking care to preserve the symlinks in /etc/letsencrypt/live during copying.
The files in the /etc/letsencrypt/csr and /etc/letsencrypt/keys are simply named ####_csr-certbot.pem and ####_key-certbot.pem respectively, where #### is an increasing counter. This will create a conflict when trying to merge the files with another /etc/letsencrypt directory.
I wouldn’t worry about copying the other files into /etc/letsencrypt on the other server. You might want to make a backup of the files somewhere, but you won’t need them to move the site to the other server. If you’re curious, the other files in /etc/letsencrypt are:
/etc/letsencrypt/accounts contains ACME registration information. Certbot currently doesn’t have great support for multiple ACME accounts and for the protocol as is, it doesn’t matter. This is something you should at the very least keep a backup of though.
/etc/letsencrypt/csr contains the CSR we used to get your cert.
/etc/letsencrypt/keys contains the private key we generated for your new certificate. Another copy of this is also found in /etc/letsencrypt/archive which you should copy over.
Some of this has already been said, but just to give one complete answer. I have started to use some LE certs on public services. Options for moving are almost unrestricted, more dependent on what project you are using to request the certs. Once you get the cert, you can export the key and cert to a file for moving to any serve you like. You should not need to revoke anything to get a new cert. With the short lifespan of LE certs (3 months) and free cost, they are being treated as disposable by most that I find.
I have used the ACMEsharp by eBekker project to build a powershell script to automate getting a new cert. This is what I have so far. It currently must run on the web server.
https://github.com/ebekker/ACMESharp
## This requires the ACMESharp module from EBekker
#Import-Module AcmeSharp
$dns = "www.example.com"
$webRoot = "C:\inetpub\wwwroot"
$idRef = "$($dns.Replace('.','-'))-$(Get-Date -Format "yyyy-MM-dd_HH-mm")"
$certRef = "cert-$($dns.Replace('.','-'))-$(Get-Date -Format "yyyy-MM-dd")"
Import-Module AcmeSharp
Write-Host "Getting a new challenge"
New-ACMEIdentifier -Dns $dns -Alias $idRef | Out-Null
$challanges = Complete-ACMEChallenge -IdentifierRef $idRef -ChallengeType http-01 -Handler manual
$httpChallenge = ($challanges.Challenges | Where-Object {$_.Type -like 'http-01'}).Challenge
Write-Host "Creating challenge folder path"
New-Item -ItemType Directory -Path "$webRoot\$($httpChallenge.FilePath)" | Out-Null
$challengeFilePath = "$webRoot\$($httpChallenge.FilePath)\Default.htm"
if (Test-Path -Path $challengeFilePath) {
Remove-Item -Path $challengeFilePath -Force
}
Write-Host "Adding Challenge text to the reuqested path"
Add-Content -Path $challengeFilePath -Value $httpChallenge.FileContent -Force | Out-Null
Write-Host "Waitin 15 sec..."
Start-Sleep -Seconds 15
Write-Host "Submitting Challenge"
Submit-ACMEChallenge -IdentifierRef $idRef -ChallengeType http-01 -Force | Out-Null
Write-Host "Waiting 15 sec..."
Start-Sleep -Seconds 15
$id = Update-ACMEIdentifier -IdentifierRef $idRef
if ($id.Status -eq "pending") {
Write-Host "Challenge still pending, waiting 30 sec and retrying"
Start-Sleep -Seconds 30
Update-ACMEIdentifier -IdentifierRef $idRef
}
if ($id.Status -ne "valid") {
throw "Identifier could not be validated."
}
else {
Write-Host "Challenge appears completed. Building cert"
New-ACMECertificate -IdentifierRef $idRef -Alias $certRef -Generate | Out-Null
Submit-ACMECertificate -CertificateRef $certRef | Out-Null
Start-Sleep -Seconds 15
Update-ACMECertificate -CertificateRef $certRef
Get-ACMECertificate -CertificateRef $certRef -ExportKeyPEM C:\SSL\$dns.key.pem -ExportCertificatePEM C:\SSL\$dns.crt.pem -ExportPkcs12 C:\SSL\$dns.pfx
#Install Cert
#Install-ACMECertificateToIIS -Certificate $certRef
}
Based on this article: https://druss.co/2019/03/migrate-letsencrypt-certificates-certbot-to-new-server/
The only constaint with letsencrypt is to prouve that you are the ouner of the site or server, after that you need to: - You will have to point your dns to the new server. - Test the cert in the new server
