When moving a site to a new server, you can migrate the LetsEncrypt certificates. You need to be careful that the /etc/letsencrypt directory is installed on the new server with the proper ownerships and permissions.

This guide is intended for Ubuntu Xenial 16.04.

Important: Because of the nature of the files (security certificates), they should be transferred by means of a secure protocol such as SSH.

Source Server

The /etc/letsencrypt directory on the original server needs to be copied to /etc on the new server.

This is a bit tricky, because the directory is owned by root - you can’t just rsync in and pull down the directory. You could add rsync to the sudo group on the source server as described here (Note: I’ve not tried this) but this makes me nervous due to potential mistakes/mischief.

Instead, sudo rsync the directory to a suitable location and set your user as the owner of the copy. For example:

# Note -p is added
sudo rsync -az -p --progress /etc/letsencrypt ~/
sudo chown -R $USER:$USER ~/letsencrypt

Local Machine

Pull the directory:

# Assumes SSH connection over port 4321
# replace $REMOTEUSER and $SOURCE_IP with suitable values
rsync -az -p -e 'ssh -p 4321' $REMOTEUSER@$SOURCE_IP:~/letsencrypt ~/servers/staging

You can now push this directory to the new location:

# Assumes connection over port 4221
rsync -az -p -e 'ssh -p 4221' ~/servers/staging/letsencrypt $NEW_REMOTE_USER@$DESTINATION_IP:

This will copy the letsencrypt directory to your users home directory on the destination server.

Destination Server

Move the directory into place and set proper ownership:

# Lack of trailing slash on source will cause the directory to be created on the destination directory
sudo rsync -az --progress ~/letsencrypt /etc
sudo chown -R root:root /etc/letsencrypt

Firewall Notes: HTTPS

Your firewall needs to open port 443. To check open ports, use netstat:

netstat -tnl

# Typical output - shows that port 443 is open
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:4321            0.0.0.0:*               LISTEN
tcp6       0      0 ::1:25                  :::*                    LISTEN
tcp6       0      0 :::443                  :::*                    LISTEN
tcp6       0      0 :::4321                 :::*                    LISTEN
tcp6       0      0 :::80                   :::*                    LISTEN

Note: You need to have a service listening on a port for the port to be determined “open”. This initially confused me - I hadn’t yet set up Apache for SSL (i.e. to listen on 443), and the netstat output did not show an entry for 443 - you might assume that your firewall is blocking the port, when you just do not have any services listening on 443.

Enable SSL: Apache

The Apache ssl module needs to be enabled for SSL/HTTPS to work:

sudo a2enmod ssl
# Restart Apache:
sudo service apache2 reload

Note re: rsync -p

As far as I’m aware, the -p option is implicit in -a, which is equivalent to -rlptgoD - so probably -p is unecessary. However, I had a couple of transfers that did not preserve permissions - maybe due to an error on my part, but no harm to include -p. There seems to be quite a subtle set of permissions on the letsencrypt files, so messing them up is not a trivial thing.