When moving a site to a new server, you can migrate the LetsEncrypt certificates. You need to be careful that the
/etc/letsencrypt directory is installed on the new server with the proper ownerships and permissions.
This guide is intended for Ubuntu Xenial 16.04.
Important: Because of the nature of the files (security certificates), they should be transferred by means of a secure protocol such as SSH.
/etc/letsencrypt directory on the original server needs to be copied to
/etc on the new server.
This is a bit tricky, because the directory is owned by root - you can’t just rsync in and pull down the directory. You could add rsync to the sudo group on the source server as described here (Note: I’ve not tried this) but this makes me nervous due to potential mistakes/mischief.
Instead, sudo rsync the directory to a suitable location and set your user as the owner of the copy. For example:
Pull the directory:
You can now push this directory to the new location:
This will copy the
letsencrypt directory to your users home directory on the destination server.
Move the directory into place and set proper ownership:
Firewall Notes: HTTPS
Your firewall needs to open port 443.
To check open ports, use
Note: You need to have a service listening on a port for the port to be determined “open”. This initially confused me - I hadn’t yet set up Apache for SSL (i.e. to listen on 443), and the
netstat output did not show an entry for 443 - you might assume that your firewall is blocking the port, when you just do not have any services listening on 443.
Enable SSL: Apache
The Apache ssl module needs to be enabled for SSL/HTTPS to work:
Note re: rsync -p
As far as I’m aware, the
-p option is implicit in
-a, which is equivalent to
-rlptgoD - so probably
-p is unecessary. However, I had a couple of transfers that did not preserve permissions - maybe due to an error on my part, but no harm to include
-p. There seems to be quite a subtle set of permissions on the
letsencrypt files, so messing them up is not a trivial thing.
comments powered by Disqus