Add how to migrate SSL certs
Nathan Steel
4 years ago
parent
9b5b1e7752
commit
c4f665b4e1
@ -0,0 +1,84 @@
|
|||||||
|
# Migrate SSL Certificated
|
||||||
|
https://ivanderevianko.com/2019/03/migrate-letsencrypt-certificates-certbot-to-new-server
|
||||||
|
|
||||||
|
## Find the location of Certs
|
||||||
|
|
||||||
|
`cat /etc/nginx/sites-available/<site>`
|
||||||
|
|
||||||
|
Locate the location of the SSL certificates from there. e.g.
|
||||||
|
`ssl_certificate_key /etc/letsencrypt/live/aney.co.uk/privkey.pem;`
|
||||||
|
|
||||||
|
Then find the true location of these files (the ones shown are likely symlinks)
|
||||||
|
`sudo ls -l /etc/letsencrypt/live/aney.co.uk`
|
||||||
|
|
||||||
|
This will potentially show
|
||||||
|
`lrwxrwxrwx 1 root root 34 Aug 1 15:16 cert.pem -> ../../archive/aney.co.uk/cert1.pem`
|
||||||
|
|
||||||
|
Which can be translated to
|
||||||
|
`/etc/letsencrypt/archive/aney.co.uk/cert1.pem`
|
||||||
|
|
||||||
|
You'll also need renewel configs
|
||||||
|
`/etc/letsencrypt/renewal/aney.co.uk.conf`
|
||||||
|
|
||||||
|
### Compress the cert files
|
||||||
|
|
||||||
|
`sudo tar -chvzf certs.tar.gz /etc/letsencrypt/archive/aney.co.uk /etc/letsencrypt/renewal/aney.co.uk.conf`
|
||||||
|
|
||||||
|
Then move it somewhere easy to access. E.g. a home directory, or /root
|
||||||
|
|
||||||
|
`mv certs.tar.gz /home/pi/`
|
||||||
|
|
||||||
|
### Add certs to the new server
|
||||||
|
|
||||||
|
`scp certs.tar.gz nathan@192.168.1.226:/home/nathan`
|
||||||
|
|
||||||
|
## Move Certificates
|
||||||
|
|
||||||
|
SSH onto the new server
|
||||||
|
|
||||||
|
Change into root directory and extract. This will set the correct filepaths
|
||||||
|
|
||||||
|
`cd /`
|
||||||
|
`sudo tar -xvf ~/certs.tar.gz`
|
||||||
|
|
||||||
|
### Symlink the certs to the "live" folder
|
||||||
|
|
||||||
|
#### If the directory doesn't exist, add it
|
||||||
|
|
||||||
|
sudo mkdir /etc/letsencrypt/live /etc/letsencrypt/live/aney.co.uk
|
||||||
|
|
||||||
|
#### Actually do the symlinks
|
||||||
|
|
||||||
|
sudo ln -s /etc/letsencrypt/archive/aney.co.uk/cert1.pem /etc/letsencrypt/live/aney.co.uk/cert.pem
|
||||||
|
sudo ln -s /etc/letsencrypt/archive/aney.co.uk/chain1.pem /etc/letsencrypt/live/aney.co.uk/chain.pem
|
||||||
|
sudo ln -s /etc/letsencrypt/archive/aney.co.uk/fullchain1.pem /etc/letsencrypt/live/aney.co.uk/fullchain.pem
|
||||||
|
sudo ln -s /etc/letsencrypt/archive/aney.co.uk/privkey1.pem /etc/letsencrypt/live/aney.co.uk/privkey.pem
|
||||||
|
|
||||||
|
|
||||||
|
### Add SSL certificated into the nginx config
|
||||||
|
|
||||||
|
` ssl_certificate /etc/letsencrypt/live/aney.co.uk/fullchain.pem; # managed by Certbot
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/aney.co.uk/privkey.pem; # managed by Certbot`
|
||||||
|
|
||||||
|
#### Do it from the other server
|
||||||
|
|
||||||
|
`scp /etc/nginx/sites-available/aney nathan@192.168.1.226:/etc/nginx/sites-available/aney_srv`
|
||||||
|
|
||||||
|
Rename the existing config if it exists.
|
||||||
|
|
||||||
|
`mv aney.co.uk aney.co.uk.PRE-MIGRATE`
|
||||||
|
|
||||||
|
Rename the new/existing server's config
|
||||||
|
|
||||||
|
`mv aney_srv aney.co.uk`
|
||||||
|
|
||||||
|
### Point domain to new server
|
||||||
|
|
||||||
|
Change the A records in your DNS to point towards the new server.
|
||||||
|
|
||||||
|
If it's a new replacement/internal server, the IP for the port forward should
|
||||||
|
be all that's needed.
|
||||||
|
|
||||||
|
### Run a let's encrypt dry-run
|
||||||
|
|
||||||
|
`sudo letsencrypt renew --dry-run`
|
||||||
Loading…
Reference in New Issue