Steps:
1. Set Up Passwordless SSH Access
Ensure that the server running Let’s Encrypt (Server1) can connect to the target server (Server2) via SSH without a password:
On Server1, generate an SSH key pair (if not already created):
ssh-keygen -t rsa -b 4096
Copy the public key to Server2:
ssh-copy-id user@server2
Replace user
with the username on Server2.
2. Create a Script for Copying Certificates
On Server1, create a script (e.g., copy_cert.sh
) to copy the certificate files to Server2:
#!/bin/bash
REMOTE_USER="user"
REMOTE_SERVER="server2"
REMOTE_PATH="/path/to/certificates"
scp /etc/letsencrypt/live/yourdomain.com/fullchain.pem ${REMOTE_USER}@${REMOTE_SERVER}:${REMOTE_PATH}/
scp /etc/letsencrypt/live/yourdomain.com/privkey.pem ${REMOTE_USER}@${REMOTE_SERVER}:${REMOTE_PATH}/
Replace yourdomain.com
with your domain.
Replace /path/to/certificates
with the directory on Server2 where the certificates should be stored.
Make the script executable:
chmod +x copy_cert.sh
3. Test the Script
Run the script manually to ensure the certificates are copied successfully
./copy_cert.sh
4. Use Certbot’s --deploy-hook
Modify the Certbot renewal configuration to include a deploy hook that runs the script after successful renewal. You can add this directly when renewing or use an existing configuration:
certbot renew --deploy-hook "/path/to/copy_cert.sh"
Alternatively, edit the renewal configuration file (usually located at /etc/letsencrypt/renewal/yourdomain.com.conf
):
renew_hook = /path/to/copy_cert.sh
5. Ensure Scheduled Renewal
Certbot typically installs a cron job or systemd timer for automatic renewal. Verify it:
For cron: Check /etc/cron.d/certbot
.
For systemd: Check certbot.timer
with:
systemctl list-timers | grep certbot
6. Restart Services on Server2 (Optional)
If the certificates are used by a service (e.g., Nginx or Apache) on Server2, modify the script to restart the service:
ssh ${REMOTE_USER}@${REMOTE_SERVER} "sudo systemctl reload nginx"
Now, whenever the certificate is renewed on Server1, it will automatically be copied to Server2 and (optionally) reload the relevant service.