This guide is helpful for people who decided to migrate a website to another web server and have SSL certificates from Let's Encrypt

letsencryptNote: This article describes the process for Ubuntu 18.04 but can also be used for other Linux distros (maybe with some small changes). As well, replace with your own domain


To successfully migrate your certificates you need to do this 5 simple steps:

  • Archive certificates on the old servers
  • Move them to a new server
  • Extract to the correct location
  • Create symlinks
  • Redirect domain

Let's go through them in a bit more details:

Archive SSL certificates

First of all, you should find the actual location of the certificates. You can open your nginx or apache configuration to see the location:

cat /etc/nginx/sites-enabled/
 ssl_certificate /etc/letsencrypt/live/; # managed by Certbot
 ssl_certificate_key /etc/letsencrypt/live/; # managed by Certbot

But this is not the actual place where certificates are located. These are symlinks, to see the actual location you should execute the following command:

sudo ls -l /etc/letsencrypt/live/
total 0
lrwxrwxrwx 1 root root 46 Mar 25 13:23 cert.pem -> /etc/letsencrypt/archive/
lrwxrwxrwx 1 root root 47 Mar 25 13:24 chain.pem -> /etc/letsencrypt/archive/
lrwxrwxrwx 1 root root 51 Mar 25 13:24 fullchain.pem -> /etc/letsencrypt/archive/
lrwxrwxrwx 1 root root 49 Mar 25 13:24 privkey.pem -> /etc/letsencrypt/archive/

You also need to archive renewal config for your website. It's located in the /etc/letsencrypt/renewal/<domain>/ folder. To archive all files, run the following:

sudo tar -chvzf certs.tar.gz /etc/letsencrypt/archive/ /etc/letsencrypt/renewal/

Now you can copy this archive to the web site location, so you can download it to the new server in the next step:

scp certs.tar.gz

Replace with the destination server info, where admin is a username and is a target server domain or IP.

Move SSL certificates

This is a really simple step. Log in to the new server and extract the certificates:


Extract to the correct location

Now you need to extract files to the correct location on the new server. Insite archive we already have the correct folder structure, so you can extract it "as is" if you are in the root folder:

cd /
sudo tar -xvf ~/certs.tar.gz

Note: If on the new server you have different Linux distro or custom letsencrypt installation you may need to manually copy files to the correct location.

Create symlinks

For the correct work, you need to create symlinks in the live folder for your domain:

sudo ln -s /etc/letsencrypt/archive/ /etc/letsencrypt/live/
sudo ln -s /etc/letsencrypt/archive/ /etc/letsencrypt/live/
sudo ln -s /etc/letsencrypt/archive/ /etc/letsencrypt/live/
sudo ln -s /etc/letsencrypt/archive/ /etc/letsencrypt/live/

Point domain to the new server

Update nginx or apache configuration to use new certificates (for nginx):

 ssl_certificate /etc/letsencrypt/live/; # managed by Certbot
 ssl_certificate_key /etc/letsencrypt/live/; # managed by Certbot

Go to your DNS manager and change the A record, so it is pointing to the new server.

Note: At this point, you should have all the content and database migrated to the new server, so you can safely switch your domain to the new server.

This step is required to successfully run a test renewal:

sudo letsencrypt renew --dry-run

You do not need to modify cron tasks for certbot since it's configured in a way that will renew all certificates:

sudo cat /etc/cron.d/certbot


0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew

That's it, the domain name is pointing to the new server and certificates can be automatically renewed

Cleanup the old server

Now you can remove certificates and renewal config from the old server, execute the following:

rm /etc/letsencrypt/renewal/
rm -rf /etc/letsencrypt/renewal/

Do not forget to change the location (the one you found in the first step)

And now you can update your Nginx or Apache config and remove the SSL/HTTPS configuration section.