This guide is helpful for people who decided to migrate a website to another web server and have SSL certificates from Let's Encrypt
To successfully migrate your certificates you need to do this 5 simple steps:
- Archive certificates on the old servers
- Move them to a new server
- Extract to the correct location
- Create symlinks
- Redirect domain
Let's go through them in a bit more details:
Archive SSL certificates
First of all, you should find the actual location of the certificates. You can open your nginx or apache configuration to see the location:
cat /etc/nginx/sites-enabled/divbyte.com ... ssl_certificate /etc/letsencrypt/live/divbyte.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/divbyte.com/privkey.pem; # managed by Certbot ...
But this is not the actual place where certificates are located. These are symlinks, to see the actual location you should execute the following command:
sudo ls -l /etc/letsencrypt/live/divbyte.com total 0 lrwxrwxrwx 1 root root 46 Mar 25 13:23 cert.pem -> /etc/letsencrypt/archive/divbyte.com/cert2.pem lrwxrwxrwx 1 root root 47 Mar 25 13:24 chain.pem -> /etc/letsencrypt/archive/divbyte.com/chain2.pem lrwxrwxrwx 1 root root 51 Mar 25 13:24 fullchain.pem -> /etc/letsencrypt/archive/divbyte.com/fullchain2.pem lrwxrwxrwx 1 root root 49 Mar 25 13:24 privkey.pem -> /etc/letsencrypt/archive/divbyte.com/privkey2.pem
You also need to archive renewal config for your website. It's located in the /etc/letsencrypt/renewal/<domain>/ folder. To archive all files, run the following:
sudo tar -chvzf certs.tar.gz /etc/letsencrypt/archive/divbyte.com /etc/letsencrypt/renewal/divbyte.com.conf
Now you can copy this archive to the web site location, so you can download it to the new server in the next step:
scp certs.tar.gz email@example.com:/home/admin/
firstname.lastname@example.org with the destination server info, where
admin is a username and
sevennet.org is a target server domain or IP.
Move SSL certificates
This is a really simple step. Log in to the new server and extract the certificates:
Extract to the correct location
Now you need to extract files to the correct location on the new server. Insite archive we already have the correct folder structure, so you can extract it "as is" if you are in the root folder:
cd / sudo tar -xvf ~/certs.tar.gz
Note: If on the new server you have different Linux distro or custom letsencrypt installation you may need to manually copy files to the correct location.
For the correct work, you need to create symlinks in the live folder for your domain:
sudo ln -s /etc/letsencrypt/archive/divbyte.com/cert2.pem /etc/letsencrypt/live/divbyte.com/cert.pem sudo ln -s /etc/letsencrypt/archive/divbyte.com/chain2.pem /etc/letsencrypt/live/divbyte.com/chain.pem sudo ln -s /etc/letsencrypt/archive/divbyte.com/fullchain2.pem /etc/letsencrypt/live/divbyte.com/fullchain.pem sudo ln -s /etc/letsencrypt/archive/divbyte.com/privkey2.pem /etc/letsencrypt/live/divbyte.com/privkey.pem
Point domain to the new server
Update nginx or apache configuration to use new certificates (for nginx):
ssl_certificate /etc/letsencrypt/live/divbyte.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/divbyte.com/privkey.pem; # managed by Certbot
Go to your DNS manager and change the A record, so it is pointing to the new server.
Note: At this point, you should have all the content and database migrated to the new server, so you can safely switch your domain to the new server.
This step is required to successfully run a test renewal:
sudo letsencrypt renew --dry-run
You do not need to modify cron tasks for certbot since it's configured in a way that will renew all certificates:
sudo cat /etc/cron.d/certbot SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin 0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew
That's it, the domain name is pointing to the new server and certificates can be automatically renewed
Cleanup the old server
Now you can remove certificates and renewal config from the old server, execute the following:
rm /etc/letsencrypt/renewal/divbyte.com.conf rm -rf /etc/letsencrypt/renewal/divbyte.com
Do not forget to change the location (the one you found in the first step)
And now you can update your Nginx or Apache config and remove the SSL/HTTPS configuration section.