Moving Site to New Server with Letsencrypt Certificates
LetsEncrypt, SSL, Security, Server
When moving a site to a new server, you can migrate the LetsEncrypt certificates. You need to be careful that the /etc/letsencrypt
directory is installed on the new server with the proper ownerships and permissions.
This guide is intended for Ubuntu Xenial 16.04.
Important: Because of the nature of the files (security certificates), they should be transferred by means of a secure protocol such as SSH.
Source Server
The /etc/letsencrypt
directory on the original server needs to be copied to /etc
on the new server.
This is a bit tricky, because the directory is owned by root - you can’t just rsync in and pull down the directory. You could add rsync to the sudo group on the source server as described here (Note: I’ve not tried this) but this makes me nervous due to potential mistakes/mischief.
Instead, sudo rsync the directory to a suitable location and set your user as the owner of the copy. For example:
Local Machine
Pull the directory:
You can now push this directory to the new location:
This will copy the letsencrypt
directory to your users home directory on the destination server.
Destination Server
Move the directory into place and set proper ownership:
Firewall Notes: HTTPS
Your firewall needs to open port 443.
To check open ports, use netstat
:
Note: You need to have a service listening on a port for the port to be determined “open”. This initially confused me - I hadn’t yet set up Apache for SSL (i.e. to listen on 443), and the netstat
output did not show an entry for 443 - you might assume that your firewall is blocking the port, when you just do not have any services listening on 443.
Enable SSL: Apache
The Apache ssl module needs to be enabled for SSL/HTTPS to work:
Note re: rsync -p
As far as I’m aware, the -p
option is implicit in -a
, which is equivalent to -rlptgoD
- so probably -p
is unecessary. However, I had a couple of transfers that did not preserve permissions - maybe due to an error on my part, but no harm to include -p
. There seems to be quite a subtle set of permissions on the letsencrypt
files, so messing them up is not a trivial thing.
comments powered by Disqus