Tag Archives: Let’s Encrypt

Copy Let’s Encrypt certificate to another server after renewal

Posted on by
Reply

Steps:

    1. Set Up Passwordless SSH Access

    Ensure that the server running Let’s Encrypt (Server1) can connect to the target server (Server2) via SSH without a password:

    On Server1, generate an SSH key pair (if not already created):

    ssh-keygen -t rsa -b 4096

    Copy the public key to Server2:

    ssh-copy-id user@server2

    Replace user with the username on Server2.

    2. Create a Script for Copying Certificates

    On Server1, create a script (e.g., copy_cert.sh) to copy the certificate files to Server2:

    #!/bin/bash
    REMOTE_USER="user"
    REMOTE_SERVER="server2"
    REMOTE_PATH="/path/to/certificates"

    scp /etc/letsencrypt/live/yourdomain.com/fullchain.pem ${REMOTE_USER}@${REMOTE_SERVER}:${REMOTE_PATH}/
    scp /etc/letsencrypt/live/yourdomain.com/privkey.pem ${REMOTE_USER}@${REMOTE_SERVER}:${REMOTE_PATH}/

    Replace yourdomain.com with your domain.

    Replace /path/to/certificates with the directory on Server2 where the certificates should be stored.

    Make the script executable:

    chmod +x copy_cert.sh

    3. Test the Script

    Run the script manually to ensure the certificates are copied successfully

    ./copy_cert.sh

    4. Use Certbot’s --deploy-hook

    Modify the Certbot renewal configuration to include a deploy hook that runs the script after successful renewal. You can add this directly when renewing or use an existing configuration:

    certbot renew --deploy-hook "/path/to/copy_cert.sh"

    Alternatively, edit the renewal configuration file (usually located at /etc/letsencrypt/renewal/yourdomain.com.conf):

    renew_hook = /path/to/copy_cert.sh

    5. Ensure Scheduled Renewal

    Certbot typically installs a cron job or systemd timer for automatic renewal. Verify it:

    For cron: Check /etc/cron.d/certbot.

    For systemd: Check certbot.timer with:

    systemctl list-timers | grep certbot

    6. Restart Services on Server2 (Optional)

    If the certificates are used by a service (e.g., Nginx or Apache) on Server2, modify the script to restart the service:

    ssh ${REMOTE_USER}@${REMOTE_SERVER} "sudo systemctl reload nginx"

    Now, whenever the certificate is renewed on Server1, it will automatically be copied to Server2 and (optionally) reload the relevant service.

    pfSense – How to Create Let’s Encrypt Wildcard Certificates on pfSense with ACME Client

    Posted on by
    Reply