8

I have a server out there that supports HTTPS using a certbot/letsencrypt certificate.

I am doing a general software upgrade so to minimize risks and downtime, I'm installing new releases on a new server on which I import the live server data for tests. When everything works I'll have the DNS record changed to point to the new server.

My question is what should I do for the certificate? Can I just copy over the existing one and let it get renewed when necessary? Or will the certificate be incompatible and/or LE will complain that the address has changed during the auto-renewal process? Will LE be sensitive to reverse DNS (it may take some more delay for the reverse DNS to work). Is there any other problem I didn't think about?

xenoid
  • 443

3 Answers3

10

By default, Certbot/Letsencrypt stores their configuration files and generated certificates in /etc/letsencrypt. So you just need to install Certbot into the new server and copy the directory from the old one. Of course you're gonna have to configure the webserver (Apache, Nginx, whatever you're using), pointing to the certificates in the new server.

Stefano Martins
  • 1,271
2

You can copy the certificate across it will work. Maybe configure the current server as reverse proxy to the other server and you'll be sorted until you make the final move. I hope I could help :)

Nuno Leitao
  • 21
  • 2
0

For those of you that are migrating from one server to another server - where Let's encrypt certbot already exists, I can share my recent experience.

First I've updated NginX config in the new server, where I've created new server block with the config from old server. But I've changed the ssl_certificate and ssl_certificate_key path to match existing paths.

Then I've changed the DNS records - which made my server return invalid certificate for a brief moment!

Lastly I've run:

certbot --nginx

Which created new certificate for existing + new domain.

The total down time was less than 1 minute.

Juraj
  • 191
  • 1
  • 5