nathan
/
references
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
references/server/nginx_webserver/migrate_ssl_certs.md

2.5 KiB
Raw Permalink Blame History

Migrate SSL Certificated

https://ivanderevianko.com/2019/03/migrate-letsencrypt-certificates-certbot-to-new-server

Find the location of Certs

cat /etc/nginx/sites-available/<site>

Locate the location of the SSL certificates from there. e.g. ssl_certificate_key /etc/letsencrypt/live/aney.co.uk/privkey.pem;

Then find the true location of these files (the ones shown are likely symlinks) sudo ls -l /etc/letsencrypt/live/aney.co.uk

This will potentially show lrwxrwxrwx 1 root root 34 Aug 1 15:16 cert.pem -> ../../archive/aney.co.uk/cert1.pem

Which can be translated to /etc/letsencrypt/archive/aney.co.uk/cert1.pem

You'll also need renewel configs /etc/letsencrypt/renewal/aney.co.uk.conf

Compress the cert files

sudo tar -chvzf certs.tar.gz /etc/letsencrypt/archive/aney.co.uk /etc/letsencrypt/renewal/aney.co.uk.conf

Then move it somewhere easy to access. E.g. a home directory, or /root

mv certs.tar.gz /home/pi/

Add certs to the new server

scp certs.tar.gz nathan@192.168.1.226:/home/nathan

Move Certificates

SSH onto the new server

Change into root directory and extract. This will set the correct filepaths

cd / sudo tar -xvf ~/certs.tar.gz

Symlink the certs to the "live" folder

If the directory doesn't exist, add it

sudo mkdir /etc/letsencrypt/live /etc/letsencrypt/live/aney.co.uk

Actually do the symlinks

sudo ln -s /etc/letsencrypt/archive/aney.co.uk/cert1.pem /etc/letsencrypt/live/aney.co.uk/cert.pem
sudo ln -s /etc/letsencrypt/archive/aney.co.uk/chain1.pem /etc/letsencrypt/live/aney.co.uk/chain.pem
sudo ln -s /etc/letsencrypt/archive/aney.co.uk/fullchain1.pem /etc/letsencrypt/live/aney.co.uk/fullchain.pem
sudo ln -s /etc/letsencrypt/archive/aney.co.uk/privkey1.pem /etc/letsencrypt/live/aney.co.uk/privkey.pem

Add SSL certificated into the nginx config

ssl_certificate /etc/letsencrypt/live/aney.co.uk/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/aney.co.uk/privkey.pem; # managed by Certbot

Do it from the other server

scp /etc/nginx/sites-available/aney nathan@192.168.1.226:/etc/nginx/sites-available/aney_srv

Rename the existing config if it exists.

mv aney.co.uk aney.co.uk.PRE-MIGRATE

Rename the new/existing server's config

mv aney_srv aney.co.uk

Point domain to new server

Change the A records in your DNS to point towards the new server.

If it's a new replacement/internal server, the IP for the port forward should be all that's needed.

Run a let's encrypt dry-run

sudo letsencrypt renew --dry-run