Let's Encrypt SSL certificate moving to a new server

It is a record of moving work of Let's Encrypt SSL certificate. I am moving the SSL certificate created by Let's Encrypt to a new server, and I will publish the procedure at that time.

Which file should I move?

The first question is, which files should I move to get certbot to work properly at the destination? The concern is that the certbot has been upgraded and the configuration files are incompatible.

Let's Encrypt's SSL certificate has issuance restrictions, and if you continue to request a certificate by mistake, you will not be able to obtain it for a certain period of time, which is also a reason to be cautious.

The directory structure of the migration source was like this. The domain name has been changed to "www.myhost.example".

/ etc / letsencrypt
/ etc / letsencrypt / renewal-hooks
/ etc / letsencrypt / renewal-hooks / post
/ etc / letsencrypt / renewal-hooks / deploy
/ etc / letsencrypt / renewal-hooks / pre
/ etc / letsencrypt / archive
/etc/letsencrypt/archive/www.myhost.example
/etc/letsencrypt/archive/www.myhost.example/chain2.pem
/etc/letsencrypt/archive/www.myhost.example/cert1.pem
/etc/letsencrypt/archive/www.myhost.example/chain1.pem
/etc/letsencrypt/archive/www.myhost.example/fullchain3.pem
/etc/letsencrypt/archive/www.myhost.example/fullchain1.pem
/etc/letsencrypt/archive/www.myhost.example/chain4.pem
/etc/letsencrypt/archive/www.myhost.example/privkey3.pem
/etc/letsencrypt/archive/www.myhost.example/privkey2.pem
/etc/letsencrypt/archive/www.myhost.example/cert3.pem
/etc/letsencrypt/archive/www.myhost.example/fullchain4.pem
/etc/letsencrypt/archive/www.myhost.example/chain3.pem
/etc/letsencrypt/archive/www.myhost.example/cert4.pem
/etc/letsencrypt/archive/www.myhost.example/privkey1.pem
/etc/letsencrypt/archive/www.myhost.example/fullchain2.pem
/etc/letsencrypt/archive/www.myhost.example/cert2.pem
/etc/letsencrypt/archive/www.myhost.example/privkey4.pem
/etc/letsencrypt/.updated-options-ssl-apache-conf-digest.txt
/ etc / letsencrypt / csr
/etc/letsencrypt/csr/0147_csr-certbot.pem
/etc/letsencrypt/csr/0173_csr-certbot.pem
/etc/letsencrypt/csr/0241_csr-certbot.pem
/etc/letsencrypt/csr/0026_csr-certbot.pem
/etc/letsencrypt/csr/0049_csr-certbot.pem
/etc/letsencrypt/csr/0252_csr-certbot.pem
/etc/letsencrypt/csr/0243_csr-certbot.pem
/ etc / letsencrypt / accounts
/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org
/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory
/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/32d2139cf78454841dbfafc66f94f9c9
/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/32d2139cf78454841dbfafc66f94f9c9/regr.json
/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/32d2139cf78454841dbfafc66f94f9c9/meta.json
/etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org/directory/32d2139cf78454841dbfafc66f94f9c9/private_key.json
/ etc / letsencrypt / keys
/etc/letsencrypt/keys/0045_key-certbot.pem
/etc/letsencrypt/keys/0139_key-certbot.pem
/etc/letsencrypt/keys/0002_key-certbot.pem
/etc/letsencrypt/keys/0152_key-certbot.pem
/ etc / letsencrypt / live
/etc/letsencrypt/live/www.myhost.example
/etc/letsencrypt/live/www.myhost.example/privkey.pem
/etc/letsencrypt/live/www.myhost.example/README
/etc/letsencrypt/live/www.myhost.example/chain.pem
/etc/letsencrypt/live/www.myhost.example/cert.pem
/etc/letsencrypt/live/www.myhost.example/fullchain.pem
/etc/letsencrypt/live/www.ganeshiaru.co.jp
/etc/letsencrypt/options-ssl-apache.conf
/ etc / letsencrypt / renewal
/etc/letsencrypt/renewal/www.myhost.example.conf

The version of certbot is 1.0.0.

certbot --version
certbot 1.0.0

The version of the destination certbot is "0.27.0". Why is the version down ???

certbot --version
certbot 0.27.0

What you need, what you don't need

"Options-ssl-apache.conf" is for automatic setting of SSL certificate in Apache, but I decided to set it manually, so I don't need it.

I don't need "renewal-hooks" because they are empty.

Considering only the SSL certificate read from Apache, you should move the SSL certificate under the "live" directory.

The question is, what information does Let's Encrypt need for the update to be correct?

Apparently, the configuration file for renewing the SSL certificate for each domain of Let's Encrypt is in "/ etc / letsencrypt / renewal". It seems necessary to move.

Let's Encrypt account information seems to be in "/ etc / letsencrypt / accounts / etc / letsencrypt / accounts". It seems necessary to move.

It seems that "/ etc / letsencrypt / archive" contains information on all Let's Encrypt SSL certificates from the past. This certificate information is referenced from within the live directory. This is necessary.

"/ Etc / letsencrypt / csr" and "/ etc / letsencrypt / keys" seem to exist only for backup. This doesn't look annoying.

So, it seems safe to move everything as it is.

What you need to move Let's Encrypt SSL certificate

What you need to move your Let's Encrypt SSL certificate. Let's move everything under "/ etc / letsencrypt".

  • / etc / letsencrypt

You have to move with root privileges

Since the "/ etc / letsencrypt" directory must be moved with root privileges, the necessary items are fixed in tar.gz with "sudo tar cfv", moved to the migration destination, and "sudo tar xfv" is expanded. Step on.

Since root login is prohibited, you cannot move with rsync.

Working at the source

Tar it and move it to the application user's home directory. Owned so that it can be erased immediatelyAlso change to the application user.

cd / etc
sudo tar cfv letsencrypt.tar.gz letsencrypt
sudo chown myapp letsencrypt.tar.gz
sudo mv letsencrypt.tar.gz /home/myapp/

Reference: sudo, cd , tar, chown, mv

Move to the home directory of the application user you are moving to.

Working at the destination

Unzip it, copy it with rsync, and recursively change the owner to root.

cd ~
tar xfv letsencrypt.tar.gz
sudo rsync -av letsencrypt / / etc / letsencrypt /
sudo chown -R root: root / etc / letsencrypt /

Delete unnecessary files described above. You can leave it as it is, even if you don't erase it.

Check webroot_map in the configuration file in the renewal directory

If the user name has been changed when you moved, you need to update the path described in the configuration file in the renewal directory.

[[webroot_map]]
www.myhost.example = /home/myapp/fooapp/public

Associated Information