Web Hosting Monkey
menu icon

How to Move Letsencrypt SSL Certificate to a New Server

Updated:

moving a Letsencrypt SSL certificate to a new server

If you are migrating your website to a new server, it is likely that you also need to move your SSL certificate. This tutorial walks you through the process of moving the existing Letsencrypt SSL certificate to a new server with zero downtime.

Here is some background information about this certificate authority. Letsencrypt, also known as Let’s Encrypt, is a non-profit certificate authority that issues free SSL certificates. It is currently the largest certificate authority in the world. It’s very easy to obtain and maintain Letsencrypt certificates. Each certificate is valid for 90 days and it can be renewed indefinitely.

This guide is applicable to all kinds of websites including those using WordPress as the content management system. SSL certificate migration with zero downtime is the objective. There is no website outage in the migration process if you follow all the steps below. This tutorial is designed to be as simple as possible and can also be used for migration of other types of SSL certificates.

This guide is primarily tailored for Linux server systems; however, the procedures can be applied to other systems as well.

Set Up the New Server for Letsencrypt SSL Certificate Migration

This is the first step of migration of website and Letsencrypt SSL certificate. Ensure the operating system, the web server, the database and the runtime environment on the new server are all properly installed and configured. For example, if you are running LAMP, make sure the Linux system, Apache web server, MySQL database and PHP environment on the new server are all functioning with no error.

Also, you will have much less trouble finishing migration of your website and Letsencrypt SSL certificate if the verions of all components are exactly the same between the new server and the existing server.

Skip this step if it has been done or if the web server and the database on the new server are already in use.

Install Letsencrypt Certbot on the New Server

If Certbot has not been installed on the new server, install it now. Since you are migrating a Letsencrypt SSL certificate, I am sure that you are already familiar with the installation of Certbot. Skip this step if it has been done or if Certbot has been run for other domains on the new server.

If the setup of the new server is significantly different from that of the existing server, you might want to check the official website of Certbot for the latest instructions on how to install Certbot on the new server.

Copy Website Files to the New Server

Now, copy all website files from the existing server to the new server. The website files may include database files, web server configuration files, program files, scripts, static files and images. I am sure you won’t have any difficulty copying all files over to the new server with the file transfer technique you are most familiar with.

If the new server is currently serving websites, you need to merge the configuration of the existing web server into the configuration file on the new server. If the database is already in use on the new server, you also need to import the existing data into the database on the new server.

You might want to check if the non-SSL HTTP version of your website is working properly after the file move.

Bundle Existing Letsencrypt Directory

Bundle the whole Letsencrypt directory on the existing server into a single file with the utility you are most familiar with, such as “zip” or “tar”. The directory is the following one by default:

/etc/letsencript

Move the Letsencrypt Bundle to the New Server

Create a temporary directory on the new server and name it “/temp”. Then, move the Letsencrypt bundle you just created securely over to the temporary directory. Restore all files in the temporary directory without changing the subdirectory structure. The following is an example of what is in the temporary directory on the new server now.

/temp/letsencrypt

Modify Letsencrypt SSL Certificate Location on the New Server

You need to let the new web server know where the existing certificate is. If you are using Apache, the configuration file you are about to modify is the following one.

/etc/httpd/conf.d/vhost-le-ssl.conf

If you are using Nginx or other types of web servers, modify the web server configuration file that contains the information about SSL certificate locations.

The SSL version of web server configuration usually contains a few lines of code generated by Certbot. The following is an example.

SSLCertificateFile/etc/letsencrypt/live/webhostingmonkey.com/cert.pem
SSLCertificateKeyFile/etc/letsencrypt/live/webhostingmonkey.com/privkey.pem
SSLCertificateChainFile/etc/letsencrypt/live/webhostingmonkey.com/chain.pem

Change the directory name “/etc” in the configuration above to “/temp”. The following is the result after making such a change.

SSLCertificateFile/temp/letsencrypt/live/webhostingmonkey.com/cert.pem
SSLCertificateKeyFile/temp/letsencrypt/live/webhostingmonkey.com/privkey.pem
SSLCertificateChainFile/temp/letsencrypt/live/webhostingmonkey.com/chain.pem

Load the New Letsencrypt SSL Configuration without Restart

The new Letsencrypt SSL configuration is ready for business now. Just reload the new configuration without restarting the web server. The following is an example if you are using Apache.

On RHEL, CentOS, Fedora, AlmaLinux, and Rocky Linux:

sudo systemctl reload httpd

On Ubuntu and Debian:

sudo systemctl reload apache2

You can also use “restart” instead of “reload” but that would cause the Apache web server to stop working for a fraction of a second.

Change DNS Settings at the Registrar

Log on to your domain registrar or your self-hosted DNS server. Change the DNS settings of your domain and let your domain point to the new server. This step should be fairly easy to you.

Registrars usually claim that the time required for DNS propagation is out of their control but it usually takes a very short time. There will be no downtime of your website regardless how long this DNS switch takes because both the existing server and the new server are ready to accept SSL connections. Some visitors will land on the new server and others will still get response from the old server while DNS propagation is in progress. Eventually everyone will be connecting to the new server only. The handover between the two servers is completely transparent to your visitors.

The existing certificate has been successfully moved to the new server.

Remove Temporary Letsencrypt Locations in Web Server Configuration

You can follow this step and the steps below when the certificate is close to their expiry date. However, you might as well get a new SSL certificate for the new server right after the DNS switch since these certificates are free of charge and they don’t last for a very long time anyway.

What you need to do now is remove the lines you have modified in the SSL configuration file but do NOT reload or restart the web server yet. The following is an example of what should be completely removed in the configuration file.

SSLCertificateFile/temp/letsencrypt/live/webhostingmonkey.com/cert.pem
SSLCertificateKeyFile/temp/letsencrypt/live/webhostingmonkey.com/privkey.pem
SSLCertificateChainFile/temp/letsencrypt/live/webhostingmonkey.com/chain.pem

Obtain a New Letsencrypt SSL Cerficate with Certbot

Whether you are using Apache, Nginx or other types of web servers, just use Certbot to generate a new Letsencrypt SSL certificate on the new server now. There should be no problem for you to finish this step since you must have completed a similar task before. Also, it’s not very different from renewing a Letsencrypt SSL certificate with Certbot. You can use the following command line to obtain a new SSL certificate if you are running the latest Certbot with Apache.

sudo certbot --apache

Reload Web Server Configuration Again

Now, reload the configuration of the web server again. The following command line is an example for Apache web server.

On RHEL, CentOS, Fedora, AlmaLinux, and Rocky Linux:

sudo systemctl reload httpd

On Ubuntu and Debian:

sudo systemctl reload apache2

Your website is now using a brand new Letsencrypt SSL certificate which is valid for 90 days. The old Letsencrypt SSL certificate you moved to the new server is no longer in use.

Clean Up Temporary Letsencrypt Files on the New Server

Check your log files on the old server and make sure there is no more website traffic to the old server. It is now safe to remove the files in the “/temp” directory on the new server. You can also remove the files in the Letsencrypt directory on the old server if you are sure the DNS switch is complete.