What are my options for moving my LetsEncrypt certificate from one server to another?

I have an ubuntu server running through Digital Ocean that has an SSH certificate that I got through LetsEncrypt.

I'm trying to switch to a cheaper service, and I need to move the cert to my new server. How can I do this?

It looks like I can revoke the certificate on my current DO server. Can I then make a new one on my new server without any problems?


Solution 1:

Some of this has already been said, but just to give one complete answer. I have started to use some LE certs on public services. Options for moving are almost unrestricted, more dependent on what project you are using to request the certs. Once you get the cert, you can export the key and cert to a file for moving to any serve you like. You should not need to revoke anything to get a new cert. With the short lifespan of LE certs (3 months) and free cost, they are being treated as disposable by most that I find.

I have used the ACMEsharp by eBekker project to build a powershell script to automate getting a new cert. This is what I have so far. It currently must run on the web server.

https://github.com/ebekker/ACMESharp

## This requires the ACMESharp module from EBekker
#Import-Module AcmeSharp

$dns = "www.example.com"
$webRoot = "C:\inetpub\wwwroot"

$idRef = "$($dns.Replace('.','-'))-$(Get-Date -Format "yyyy-MM-dd_HH-mm")"
$certRef = "cert-$($dns.Replace('.','-'))-$(Get-Date -Format "yyyy-MM-dd")"

Import-Module AcmeSharp
Write-Host "Getting a new challenge"
New-ACMEIdentifier -Dns $dns -Alias $idRef | Out-Null
$challanges = Complete-ACMEChallenge -IdentifierRef $idRef -ChallengeType http-01 -Handler manual
$httpChallenge = ($challanges.Challenges | Where-Object {$_.Type -like 'http-01'}).Challenge

Write-Host "Creating challenge folder path"
New-Item -ItemType Directory -Path "$webRoot\$($httpChallenge.FilePath)" | Out-Null

$challengeFilePath = "$webRoot\$($httpChallenge.FilePath)\Default.htm"

if (Test-Path -Path $challengeFilePath) {
    Remove-Item -Path $challengeFilePath -Force
}

Write-Host "Adding Challenge text to the reuqested path"
Add-Content -Path $challengeFilePath -Value $httpChallenge.FileContent -Force | Out-Null

Write-Host "Waitin 15 sec..."
Start-Sleep -Seconds 15

Write-Host "Submitting Challenge"
Submit-ACMEChallenge -IdentifierRef $idRef -ChallengeType http-01 -Force | Out-Null

Write-Host "Waiting 15 sec..."
Start-Sleep -Seconds 15

$id = Update-ACMEIdentifier -IdentifierRef $idRef

if ($id.Status -eq "pending") {
    Write-Host "Challenge still pending, waiting 30 sec and retrying"
    Start-Sleep -Seconds 30
    Update-ACMEIdentifier -IdentifierRef $idRef
}

if ($id.Status -ne "valid") {
    throw "Identifier could not be validated."
}
else {
    Write-Host "Challenge appears completed. Building cert"
    New-ACMECertificate -IdentifierRef $idRef -Alias $certRef -Generate | Out-Null
    Submit-ACMECertificate -CertificateRef $certRef | Out-Null
    Start-Sleep -Seconds 15
    Update-ACMECertificate -CertificateRef $certRef

    Get-ACMECertificate -CertificateRef $certRef -ExportKeyPEM C:\SSL\$dns.key.pem -ExportCertificatePEM C:\SSL\$dns.crt.pem -ExportPkcs12 C:\SSL\$dns.pfx 

    #Install Cert 
    #Install-ACMECertificateToIIS -Certificate $certRef
}

Solution 2:

Supposing you are using the certbot tool to manage your Let's Encrypt certificates, which most people do, it is sufficient to copy the entire /etc/letsencrypt directory from one server to another. All of your certificates, as well as certbot configuration, are in there. So you can continue on the new server exactly as you were before.