Moving servers and Let's Encrypt certificates from Apache to Nginx

An Tran • January 13, 2019

server web

I have just moved my blog from an old server running Ubuntu 14.04 and apache to a new server running Ubuntu 18.04 and nginx. The blog itself is just a bunch of some static pages. I thought it is quite trivial to move these pages to a new server. But then I recognized that I also have set up Let's Encrypt certificates for my site some years ago. This blog outlines the steps I used to move my blog from the old server to the new server. My VPS is hosted by DigitalOcean, but the steps should be applicable for all other VPS services.

Step 1: Create a new VPS intance

Install Ubuntu 18.04. You can see detail tutorial for DigitalOcean here: Inital setup: https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-18-04

Step 2: Setup Nginx

Since I'm going to host some PHP Projects on my server, I have followed the steps to install the whole LEMP stack. But if you only want to instal Nginx, there is also a tutorial from DigitalOcean: https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-ubuntu-18-04

Step 3: Backup old Let's Encrypt Certificates from the old server

All required files from Let's Encrypt are stored in /etc/letsencrypt. I have downloaed all of them from the all server to my local machine using the following command.

rsync -avzh MyRootUser@MyOldServerIP:/etc/letsencrypt ~/cert

Step 4: Copy old Let's Encrypt Certificates to the new server

I copied all files to the new server using the similar Rsync call.

cd ~/cert
rsync -avz . MyRootUser@MyNewServerIP:/etc/letsencrypt

Step 5: Install Let's Encrypt extension for Nginx

Since my old certificates were created for Apache, I need to migrate them to the newly installed nginx server. This is quite straight forward when you follow the following tutorial by DigitalOcean: https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04

Step 6: Fix auto renew for Let's Encrypt certificates

You can now test if the certificates can be renewed, you can use this command

sudo certbot renew --dry-run

Proably you will see the following errors in the console.

server@peacemoon:/var/www/peacemoon.de/html$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/peacemoon.de.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Attempting to parse the version 0.29.1 renewal configuration file found at /etc/letsencrypt/renewal/peacemoon.de.conf with version 0.26.1 of Certbot. This might not work.
Cert not due for renewal, but simulating renewal for dry run
Could not choose appropriate plugin: The requested apache plugin does not appear to be installed
Attempting to renew cert (peacemoon.de) from /etc/letsencrypt/renewal/peacemoon.de.conf produced an unexpected error: The requested apache plugin does not appear to be installed. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/peacemoon.de/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/peacemoon.de/fullchain.pem (failure)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

This is because Let's encrypted certificates are still configured to be renewed with apache plugin.

You can change it to nginx by editing the configuration in renewal folder: /etc/letsencrypt/renewal/peacemoon.de.conf

You can also safely delete the options-ssl-apache.conf since we don't need it anymore

sudo rm /etc/letsencrypt/options-ssl-apache.conf

Let's dry-run again:

server@peacemoon:/etc/letsencrypt/renewal$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/peacemoon.de.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Attempting to parse the version 0.29.1 renewal configuration file found at /etc/letsencrypt/renewal/peacemoon.de.conf with version 0.26.1 of Certbot. This might not work.
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator nginx, Installer nginx
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for peacemoon.de
http-01 challenge for www.peacemoon.de
Waiting for verification...
Cleaning up challenges

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
new certificate deployed with reload of nginx server; fullchain is
/etc/letsencrypt/live/peacemoon.de/fullchain.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
  /etc/letsencrypt/live/peacemoon.de/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
**          (The test certificates above have not been saved.)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.

If everything works as expected, your Let's Encrypt certificates should be migrated to a new server running Nginx correctly for now. You are now safe to delete the old server intance (naturally after you have migrated all you data to the new server).