From c4f665b4e17195bade19c70e655d2d07a168691f Mon Sep 17 00:00:00 2001 From: Nathan Steel Date: Sat, 11 Sep 2021 20:17:38 +0100 Subject: [PATCH] Add how to migrate SSL certs --- server/nginx_webserver/migrate_ssl_certs.md | 84 +++++++++++++++++++++ 1 file changed, 84 insertions(+) create mode 100644 server/nginx_webserver/migrate_ssl_certs.md diff --git a/server/nginx_webserver/migrate_ssl_certs.md b/server/nginx_webserver/migrate_ssl_certs.md new file mode 100644 index 0000000..2c16a41 --- /dev/null +++ b/server/nginx_webserver/migrate_ssl_certs.md @@ -0,0 +1,84 @@ +# Migrate SSL Certificated +https://ivanderevianko.com/2019/03/migrate-letsencrypt-certificates-certbot-to-new-server + +## Find the location of Certs + +`cat /etc/nginx/sites-available/` + +Locate the location of the SSL certificates from there. e.g. +`ssl_certificate_key /etc/letsencrypt/live/aney.co.uk/privkey.pem;` + +Then find the true location of these files (the ones shown are likely symlinks) +`sudo ls -l /etc/letsencrypt/live/aney.co.uk` + +This will potentially show +`lrwxrwxrwx 1 root root 34 Aug 1 15:16 cert.pem -> ../../archive/aney.co.uk/cert1.pem` + +Which can be translated to +`/etc/letsencrypt/archive/aney.co.uk/cert1.pem` + +You'll also need renewel configs +`/etc/letsencrypt/renewal/aney.co.uk.conf` + +### Compress the cert files + +`sudo tar -chvzf certs.tar.gz /etc/letsencrypt/archive/aney.co.uk /etc/letsencrypt/renewal/aney.co.uk.conf` + +Then move it somewhere easy to access. E.g. a home directory, or /root + +`mv certs.tar.gz /home/pi/` + +### Add certs to the new server + +`scp certs.tar.gz nathan@192.168.1.226:/home/nathan` + +## Move Certificates + +SSH onto the new server + +Change into root directory and extract. This will set the correct filepaths + +`cd /` +`sudo tar -xvf ~/certs.tar.gz` + +### Symlink the certs to the "live" folder + +#### If the directory doesn't exist, add it + + sudo mkdir /etc/letsencrypt/live /etc/letsencrypt/live/aney.co.uk + +#### Actually do the symlinks + + sudo ln -s /etc/letsencrypt/archive/aney.co.uk/cert1.pem /etc/letsencrypt/live/aney.co.uk/cert.pem + sudo ln -s /etc/letsencrypt/archive/aney.co.uk/chain1.pem /etc/letsencrypt/live/aney.co.uk/chain.pem + sudo ln -s /etc/letsencrypt/archive/aney.co.uk/fullchain1.pem /etc/letsencrypt/live/aney.co.uk/fullchain.pem + sudo ln -s /etc/letsencrypt/archive/aney.co.uk/privkey1.pem /etc/letsencrypt/live/aney.co.uk/privkey.pem + + +### Add SSL certificated into the nginx config + +` ssl_certificate /etc/letsencrypt/live/aney.co.uk/fullchain.pem; # managed by Certbot + ssl_certificate_key /etc/letsencrypt/live/aney.co.uk/privkey.pem; # managed by Certbot` + +#### Do it from the other server + +`scp /etc/nginx/sites-available/aney nathan@192.168.1.226:/etc/nginx/sites-available/aney_srv` + +Rename the existing config if it exists. + +`mv aney.co.uk aney.co.uk.PRE-MIGRATE` + +Rename the new/existing server's config + +`mv aney_srv aney.co.uk` + +### Point domain to new server + +Change the A records in your DNS to point towards the new server. + +If it's a new replacement/internal server, the IP for the port forward should +be all that's needed. + +### Run a let's encrypt dry-run + +`sudo letsencrypt renew --dry-run`