Avoid Migration Toolkit to copy /etc/letsencrypt certificates when unnecessary

Discussion in 'Plugins/Modules/Addons' started by Aldo Giove, Mar 25, 2023.

  1. Aldo Giove

    Aldo Giove New Member

    Hi all,
    I'm trying to use the Migration Toolkit.
    My scenario is:
    • source server with a number of email and web domains (i.e., A, B, C, D, E, F)
    • target server where I want to migrate SOME of such email and web domains (i.e., A, B only)
    • Both server run certbot for "historical" reasons: I didn't even try to migrate to acme.sh to avoid problems, as suggested in several threads in this forum.
    I tried to migrate two websites A and B and one mail domain to the target server with the --only-xxxxx flags; it worked BUT... I found in the /etc/letsencrypt folder on target server all Letsencrypt certificates copied from the source server, including those of the non-migrated domains (C, D, E, F).
    This behavior left letsencrypt/certbot on target server in erroneous state: for example, running
    Code:
    certbot renew
    fails for all certificates that were copied for non-migrated domains (C, D, E, F). I had to manually remove all non-relevant certificates from "live", "archive" and "renewal" subfolders of /etc/letsencrypt. Tedious and error prone.

    Moreover, it could be much worse if, during this process, existing files in /etc/letsencrypt on target server would be overwritten (aren't they, right?).

    Looking in the log, it seems that all letsencrypt certificates are copied as a whole in a single step with rsync:
    The question is:
    Is there any command-line option to limit migration only to relevant letsencrypt certificates to the target server?

    Thank you
    Aldo
     
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You can run the certbot delete command to delete all relevant directories/files for a domain. And you can automate that as well of course. I'd recommend going that way.
     
    Aldo Giove likes this.
  3. Aldo Giove

    Aldo Giove New Member

    Thank for your answer Th0m.
    Not that elegant, but if there is no other way...
    Kind regards
    Aldo
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Just specify the command line option --skip-letsencrypt

    Code:
    ./migrate --skip-letsencrypt
    So that the Let's encrypt certs do not get copied. When the migration is finished, login to ISPConfig, enable Let's encrypt checkbox for the site. Just be aware that DNS for the site must have been switched over to the new system before you can enable Let's encrypt.
     
    ahrasis and Aldo Giove like this.
  5. Aldo Giove

    Aldo Giove New Member

    Thank you Till.
    Kind regards
    Aldo
     
  6. Farsus

    Farsus Member

    small question can this way be used to go from a certbot based server to a new clean acme based server?
     
    ahrasis and Aldo Giove like this.
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    yes.
     
    ahrasis and Aldo Giove like this.
  8. Farsus

    Farsus Member

    Thank you very good option:):)
     
    Aldo Giove likes this.

Share This Page