Migrate certs to another server

[KoderFPV]

Hi Guys, I am pretty new in the certs world and in acme.sh. I am coming from frontend side of this planet ;)

However, I have certs generated (issued, I guess) by acme.sh. I don't have a previous .acme.sh folder. I have just directories with certs files like .csr .cer *.key etc. How can I install the same certs on the new VPS? I just cloned and installed new acme.sh application, bu, I cannot find any command to restore from existing certs files.

Thanks!

[FernandoMiguel]

@Tarvald it's easier just to install acme.sh and issue new certs on the new server

[KoderFPV]

Shouldn't I use the same certs as they were originally created? I am not sure, but certs are might be related to the API of the application located on this server. There is a small risk that reusing the same certs is required.

[FernandoMiguel]

@Tarvald the all point of acme and let's encrypt is that you have short lived certs. So the system should handle new certs all the time.

[KoderFPV]

@FernandoMiguel Thanks for the fast response! But can I renew them, right? For a few days, I am trying to keep alive one of my new client's applications on VPS. It is a kind of gateway to client system from an external system. This gateway require to set TLS private key and TLS (?) cert file on init. And the client sent a cert file to this external system.

So can I have somehow the same certs by only renewing them every 3 months? If I can, how can I transfer the same certs to another VPS and have them under control of ./acme.sh script?

Sorry for confusing description, but I am still learning about certificates and security coming them.

[FernandoMiguel]

You can issue/renew if you control the domain or at least the DNS endpoint for A/AAAA record

Not sure what your client sent you, or what that represents, sorry.

You should try to read a bit more about how TLS and Certificates work to prevent problems in the future.

Having a testing environment would also help you greatly

[Neilpang]

There are a lot of deploy hooks, that can deploy the cert/keys. But, a good practice is to generate/issue a cert for each server.

[KoderFPV]

@FernandoMiguel I have testing server, and all I want to do, is to setup test enviroment. So don't worry.

But I will share a little bit what is going on.

I have new client who finish cooperation with previous development team. Client has two apps. One simple java API Second gateway to this api for external system.

The external system require to connect to our gateway with TLS certs. We have instance of the gateway with generate certificates wit acme.sh. Cert file and key file are attached to this gateway, and cert file was sent to the external system. So if we change certs, the external system won't be authorized to connect to our gateway. We will have to send them new certs, and we don't won't do this every 3 months ;)

Also the previous team had staging environment on their VPS. Its staging had also certs generated by acme.sh. However stagign enviement was collapsed and the and of cooperation and all configs were send to my client, for new team to setup staging on their own. I would like to reuse their certs. We have them zipped.

And the reason why I don't wont to just generate new certs is that we will have to migrate gateway application from AWS to some cheaper provider soon. And after this migration, I would like to be able to use the same cert files and don't send a new one to the external system. We will just change the API domain leading to our gateway.

So configuring new staging environment with keeping same certs is very similar to migration this gateway to new VPS process.

So I would like to train to keep existing certs or at least compatible.

Is it possible somehow?

The server will change but domain will stay the same.

Thanks

[FernandoMiguel]

What do you mean by sending them the certs? Are you talking about auth in java? If that the case, let's encrypt certs will be a poor choice for mTLS (mutual TLS trust).

If OTOH you are issuing certs that your client is going to host under his domain, you will have a bit more work to issue them (unless you control the DNS and can use dns validation)

[KoderFPV]

@FernandoMiguel I am controlling domian / dns / cloudflare. My client is a nontechnical person.

By sending them the certs I mean, sending *.cert file or cert.pem to them. Gateway has attached Cert and Key.

I am sending, to the external system cert file and hostname, in this case, the domain under control of Cloudflare.