How to Move Letsencrypt SSL Certificate to a New Server
Updated:
If you are migrating your website to a new server, it is likely that you also need to move your SSL certificate. This tutorial walks you through the process of moving the existing Letsencrypt SSL certificate to a new server with zero downtime.
Here is some background information about this certificate authority. Letsencrypt, also known as Let’s Encrypt, is a non-profit certificate authority that issues free SSL certificates. It is currently the largest certificate authority in the world. It’s very easy to obtain and maintain Letsencrypt certificates. Each certificate is valid for 90 days and it can be renewed indefinitely.
This guide is applicable to all kinds of websites including those using WordPress as the content management system. SSL certificate migration with zero downtime is the objective. There is no website outage in the migration process if you follow all the steps below. This tutorial is designed to be as simple as possible and can also be used for migration of other types of SSL certificates.
This guide is primarily tailored for Linux server systems; however, the procedures can be applied to other systems as well.
Set Up the New Server for Letsencrypt SSL Certificate Migration
This is the first step of migration of website and Letsencrypt SSL certificate. Ensure the operating system, the web server, the database and the runtime environment on the new server are all properly installed and configured. For example, if you are running LAMP, make sure the Linux system, Apache web server, MySQL database and PHP environment on the new server are all functioning with no error.
Also, you will have much less trouble finishing migration of your website and Letsencrypt SSL certificate if the verions of all components are exactly the same between the new server and the existing server.
Skip this step if it has been done or if the web server and the database on the new server are already in use.
Install Letsencrypt Certbot on the New Server
If Certbot has not been installed on the new server, install it now. Since you are migrating a Letsencrypt SSL certificate, I am sure that you are already familiar with the installation of Certbot. Skip this step if it has been done or if Certbot has been run for other domains on the new server.
If the setup of the new server is significantly different from that of the existing server, you might want to check the official website of Certbot for the latest instructions on how to install Certbot on the new server.
Copy Website Files to the New Server
Now, copy all website files from the existing server to the new server. The website files may include database files, web server configuration files, program files, scripts, static files and images. I am sure you won’t have any difficulty copying all files over to the new server with the file transfer technique you are most familiar with.
If the new server is currently serving websites, you need to merge the configuration of the existing web server into the configuration file on the new server. If the database is already in use on the new server, you also need to import the existing data into the database on the new server.
You might want to check if the non-SSL HTTP version of your website is working properly after the file move.
Bundle Existing Letsencrypt Directory
Bundle the whole Letsencrypt directory on the existing server into a single file with the utility you are most familiar with, such as “zip” or “tar”. The directory is the following one by default:
/etc/letsencript
Move the Letsencrypt Bundle to the New Server
Create a temporary directory on the new server and name it “/temp”. Then, move the Letsencrypt bundle you just created securely over to the temporary directory. Restore all files in the temporary directory without changing the subdirectory structure. The following is an example of what is in the temporary directory on the new server now.
/temp/letsencrypt
Modify Letsencrypt SSL Certificate Location on the New Server
You need to let the new web server know where the existing certificate is. If you are using Apache, the configuration file you are about to modify is the following one.
/etc/httpd/conf.d/vhost-le-ssl.conf
If you are using Nginx or other types of web servers, modify the web server configuration file that contains the information about SSL certificate locations.
The SSL version of web server configuration usually contains a few lines of code generated by Certbot. The following is an example.
SSLCertificateFile/etc/letsencrypt/live/webhostingmonkey.com/cert.pem
SSLCertificateKeyFile/etc/letsencrypt/live/webhostingmonkey.com/privkey.pem
SSLCertificateChainFile/etc/letsencrypt/live/webhostingmonkey.com/chain.pem
Change the directory name “/etc” in the configuration above to “/temp”. The following is the result after making such a change.
SSLCertificateFile/temp/letsencrypt/live/webhostingmonkey.com/cert.pem
SSLCertificateKeyFile/temp/letsencrypt/live/webhostingmonkey.com/privkey.pem
SSLCertificateChainFile/temp/letsencrypt/live/webhostingmonkey.com/chain.pem
Load the New Letsencrypt SSL Configuration without Restart
The new Letsencrypt SSL configuration is ready for business now. Just reload the new configuration without restarting the web server. The following is an example if you are using Apache.
On RHEL, CentOS, Fedora, AlmaLinux, and Rocky Linux:
sudo systemctl reload httpd
On Ubuntu and Debian:
sudo systemctl reload apache2
You can also use “restart” instead of “reload” but that would cause the Apache web server to stop working for a fraction of a second.
Change DNS Settings at the Registrar
Log on to your domain registrar or your self-hosted DNS server. Change the DNS settings of your domain and let your domain point to the new server. This step should be fairly easy to you.
Registrars usually claim that the time required for DNS propagation is out of their control but it usually takes a very short time. There will be no downtime of your website regardless how long this DNS switch takes because both the existing server and the new server are ready to accept SSL connections. Some visitors will land on the new server and others will still get response from the old server while DNS propagation is in progress. Eventually everyone will be connecting to the new server only. The handover between the two servers is completely transparent to your visitors.
The existing certificate has been successfully moved to the new server.
Remove Temporary Letsencrypt Locations in Web Server Configuration
You can follow this step and the steps below when the certificate is close to their expiry date. However, you might as well get a new SSL certificate for the new server right after the DNS switch since these certificates are free of charge and they don’t last for a very long time anyway.
What you need to do now is remove the lines you have modified in the SSL configuration file but do NOT reload or restart the web server yet. The following is an example of what should be completely removed in the configuration file.
SSLCertificateFile/temp/letsencrypt/live/webhostingmonkey.com/cert.pem
SSLCertificateKeyFile/temp/letsencrypt/live/webhostingmonkey.com/privkey.pem
SSLCertificateChainFile/temp/letsencrypt/live/webhostingmonkey.com/chain.pem
Obtain a New Letsencrypt SSL Cerficate with Certbot
Whether you are using Apache, Nginx or other types of web servers, just use Certbot to generate a new Letsencrypt SSL certificate on the new server now. There should be no problem for you to finish this step since you must have completed a similar task before. Also, it’s not very different from renewing a Letsencrypt SSL certificate with Certbot. You can use the following command line to obtain a new SSL certificate if you are running the latest Certbot with Apache.
sudo certbot --apache
Reload Web Server Configuration Again
Now, reload the configuration of the web server again. The following command line is an example for Apache web server.
On RHEL, CentOS, Fedora, AlmaLinux, and Rocky Linux:
sudo systemctl reload httpd
On Ubuntu and Debian:
sudo systemctl reload apache2
Your website is now using a brand new Letsencrypt SSL certificate which is valid for 90 days. The old Letsencrypt SSL certificate you moved to the new server is no longer in use.
Clean Up Temporary Letsencrypt Files on the New Server
Check your log files on the old server and make sure there is no more website traffic to the old server. It is now safe to remove the files in the “/temp” directory on the new server. You can also remove the files in the Letsencrypt directory on the old server if you are sure the DNS switch is complete.