Migrating Let’s Encrypt from Server to Server

  • Let’s encrypt certificates reside in 3 folder inside /etc/letsencrypt/.
  • The folders are archive, live and renewal.
  • The archive folder contains the real keys, the live contains a symbolic link to the archive file and the renewal contains the site configuration.
  • Assuming the certificates for a domain with name mydomain.com has to be moved, the 3 folders will contain each a folder mydomain.com. To move them from the original server, the best tool to use is tar with specific parameters to compress and retain the symbolic links as is.
  • In the above case, it should be,

sudo tar -czvf mydomain.com.tar.gz /etc/letsencrypt/archive/mydomain.com /etc/letsencrypt/live/mydomain.com /etc/letsencrypt/renewal/mydomain.com.conf

  • The compressed folder should be moved to the new server and can be done with scp as follows:

Scp mydomain.com.tar.gz  newserveruser@ip.add.re.ss:/home/newserveruser/

  • On the new server, install certbot.
  • On the new server, login as root and perform

Cd /home/newserveruser/ && tar -xhzvf mydomain.com.tar.gz -C /

  • Visit /etc/letsencrypt/live/mydomain.com and perform an ls -la to check if sym link exists.
  • On the old server, remove the certificate and renewal config with
rm /etc/letsencrypt/renewal/mydomain.com.conf
rm -rf /etc/letsencrypt/renewal/mydomain.com