Problem:
I moved servers – copying the Apache configuration and /etc/letsencrypt to the new server. Everything went well but now when I have to renew I cannot. I get all types of errors. (Yes, I KNOW that I did a really dumb thing forgetting to copy my backups as well )
Solution:
Here is what I had to do – much of it is similar to getting the “starter” Apache 2 SSL set up
- You need to create the self-signed certificates first (e.g. “sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/apache-selfsigned.key -out /etc/ssl/certs/apache-selfsigned.crt”)
- Once that is done, you need to create the SSL vhost files (assuming you are using virtual hosts – I am) using the self-signed certificates. You can (I did, at least) use the same self-signed certificate for each vhost. The important thing to note here is that letsencrypt must have apache running ssl already. It will not work if apache is not up and/or there are no ssl sites. (This drove me mad for a couple of hours!)
- Once this is done you can back up your /etc/letsencrypt directory (you could probably blow it away but you are probably paranoid now )
- Restart apache (e.g., apache2ctl restart – by this time I will terminate with extreme prejustice )
- Check to see if your sites are up and running. Your web browser probably will give you an insecure warning. That is okay – we will be putting real certificates in place; you just need to ensure that apache is working with ssl.
- Run letsencrypt –apache ya-da, ya-da, ya-da
- You might have to restart apache manually after it finishes but that’s okay
Now, don’t forget to:
1. Back up you letsencrypt directory (I am really paranoid now )
2. Back up your apache config files (Yes, I am really paranoid now)
One more thing:
- Make sure that the renewals are working (e.g., letsencrypt renew)
- Put that in your cron jobs so that it renews each month