I decommissioned one of my cloud instances recently and I had to migrate LetsEncrypt SSL certificates over to a new server. It took me awhile to find out all the necessary information. I hope this guide will make your life easier.
- SSH and root access to your old webserver.
- SSH and root access to your new webserver.
- Your own domain name(s).
- You have access or privilege to configure DNS records (i.e. CNAME, etc)
- Google Cloud Compute Engine (aka Google Cloud).
- Bitnami with Debian 8, Apache2, and wordpress multi-sites.
1st Step: Backup your LetsEncrypt SSL Certificates on Your Old Webserver.
SSH into your old webserver as a root. Thereafter, we are going to backup everything as Tar/Zip file in tmp folder by running the following commands:
cd /tmp tar zcvf /tmp/letsencrypt_backup_$(date +'%Y-%m-%d_%H%M').tar.gz /etc/letsencrypt
With this command, it will preserve permissions and symlinks so that you will have a perfect backup of it for your /etc/letsencrypt in your new webserver.
2nd Step: Transfer tar/zip file of your LetsEncrypt SSL Certificates to Your new Webserver
There are many ways to do this. The best approach is to transfer it directly from your old webserver to the new one either with rsync or scpp command.
rsync -v -e ssh [LOCAL_FILE_PATH] [DESTINATION_HOST_NAME]:[DESTINATION_PARENT_PATH]
However, I was encountering some hiccups using these commands. Therefore, I had to do a workaround, which definitely wasn’t the best approach, but it did the job.
Here is the high-level overview of what I did:
- Download Tar file to my local machine (aka laptop).
- Upload Tar file to /tmp folder in the new webserver from my local machine.
Once Tar file has been uploaded to your new webserver, ssh into it as a root and extract Tar file by running the following command:
tar zxvf /tmp/YOUR_LETSENCRYPT_FILE_NAME -C /
This command will extract Tar file into /etc/letsencrypt folder with all symlinks being preserved.
3rd Step: Verifying LetsEncrypt SSL Certificates are setup correctly.
Basically, you need to make sure you setup LetsEncrypt dependency packages on your new webserver before verifying LetsEncrypt SSL certificates.
SSH into your new webserver as a root and check the followings
- Do you have certbot installed? If not, do it.
- Make sure Backport is installed for Debian 8/9 OS.
If everything is all setup, run the following command
sudo certbot renew —dry-run
Although this may give you error message from Certbot related to your certificates, it verifies that you have Certbot installed and your LetsEncrypt SSL certificates are in the right place.
4th Step: Redirect Domain name DNS to the new webserver.
If you did this already, skip this.
Otherwise, you’ll need to go to your domain name provider (i.e. namecheap, godaddy, etc) dashboard. Then you’d need to point @record of your domain name to a new server.
Set your TLL value, (Time to Live), for @record to 30 mins or less.
5th Step: Adding the virtual host of your domain name to vhosts.conf on the new webserver.
If you did setup your wordpress + Apache webserver with bitnami, you will need to add the virtual host for your domain name on the new server.
sudo vim ~/apps/wordpress/conf/httpd-vhosts.conf
Then adding the following:
<VirtualHost *:80> ServerName YOURDOMAINNAME.COM ServerAlias www.YOURDOMAINNAME.COM DocumentRoot “/opt/bitnami/apps/wordpress/htdocs” Include “/opt/bitnami/apps/wordpress/htdocs” </VirtualHost> <VirtualHost *:443> ServerName YOURDOMAINNAME.COM ServerAlias www.YOURDOMAINNAME.com DocumentRoot "/opt/bitnami/apps/APP/htdocs" SSLEngine on SSLCertificateFile "YOUR_PATH_TO_FULLCHAIN_PM" SSLCertificateKeyFile "YOUR_PATH_TO_PRIVATE_PM" Include "/opt/bitnami/apps/APP/conf/httpd-app.conf" </VirtualHost>
5th Verify everything is in place.
First, stop apache server. Make sure all Apache process are killed. This is to avoid the following error:
sudo /opt/bitnami/ctlscript.sh stop apache
This is to avoid the following error when running certbot renew.
(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80 (98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80 no listening sockets available, shutting down
Secondly , run a dry-run of renew SSL key through Certbot.
sudo certbot renew --dry-run
Lastly, restart your Apache server.
sudo /opt/btinami/ctlscript.sh start apache
6th Checkout your https site.
Remember the 4th step, TTL? Wait until TTL has expired (i.e If you set it to 15 mins, wait 15 mins.).
Make sure to clear your cache on your browser.
Thereafter, type in https://www.YOURDOMAINNAME.com in a browser of your choice to see if there is no SSL certificate error.