Danrancan
Posts: 39
Joined: Wed Jan 15, 2020 4:28 am
Location: Milwaukee, WI, USA
Contact: Website Twitter

Backing up LetsEncrypt web server certificates and pemchain with proper permissions?

Tue Feb 04, 2020 8:19 pm

I still consider myself a noob even though I know a bit at this point, so please be gentle. Right now, I am working on my first project of making a raspberry pi a web server. I have successfully gotten my web server up an running, and JUST installed my lets encrypt certificates using certbot. So far, everything is a success. However, after installing my certs with certbot, certbot ends the "Congratulations" message with a note that I should properly back up my certificates and pemchain, and save them to a safe location. I would like to do this for multiple reasons, and and trying to figure out the best way to back up these newly created and registstered certificates on to a usb stick. How does one go about doing this from the command line? What are the best tools to use (rsync, cp, etc?) and what tools/commands would properly preserve my permissions?

Could someone give me some examples of how to back up my lets encrypt certificates and chain (including permissions) to a usb stick? I can't seem to find any good examples or suggestions on google. So hopefully someone knowledgeable here can help. Thanks a ton for any info!
Nerd-Tech - Exploring Technology, Computers, and Techno…
https://github.com/danrancan
dan@nerd-tech.net
https://nerd-tech.net
https://keybase.io/danran/
My Keybase Invite https://keybase.io/inv/5a35010417/

User avatar
DougieLawson
Posts: 39626
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: Backing up LetsEncrypt web server certificates and pemchain with proper permissions?

Tue Feb 04, 2020 9:58 pm

Danrancan wrote:
Tue Feb 04, 2020 8:19 pm
Could someone give me some examples of how to back up my lets encrypt certificates and chain (including permissions) to a usb stick? I can't seem to find any good examples or suggestions on google. So hopefully someone knowledgeable here can help. Thanks a ton for any info!
What's the point? They expire every 90 days. They get renewed earlier than the expiry date (from the cron job). You can replace a lost certificate with --force-renewal.
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Criticising any questions is banned on this forum.

Any DMs sent on Twitter will be answered next month.
All fake doctors are on my foes list.

User avatar
Skraaj
Posts: 29
Joined: Wed Nov 20, 2019 11:35 pm
Contact: Website

Re: Backing up LetsEncrypt web server certificates and pemchain with proper permissions?

Thu Feb 06, 2020 3:21 am

Danrancan wrote: Could someone give me some examples of how to back up my lets encrypt certificates and chain
Sure, but as DougieLawson said there's basically no point. However, if you really, really want to you can. You have to be root in order to do that

Code: Select all

sudo su -
cp * /etc/letsencrypt/live/example.com/ /destination/path/to/where/you/want/to/copy/certs/
Substitute example.com with the folder name where you keep your website, and /destination/path/to/where/you/want/to/copy/certs/ with path where you will keep your backup. Certbot should have told you where they are exactly.

More interesting thing is that you can use those certs in other software that utilizes certs.

This is the default place where certbot stores your certificate files, again, substitute example.com

Code: Select all

/etc/letsencrypt/live/example.com/fullchain.pem
/etc/letsencrypt/live/example.com/privkey.pem
You can just put those paths in config files of soft that uses certs.

If you ever loose your certs due to a new install or a cat ate your SD card then just get a new one. Just keep in mind letsencrypt's rate limits and do not get 10 certificates a day for the next month :P

Code: Select all

sudo certbot --apache
Follow prompts (or --nginx, depending on what you use to host) and you will have a new cert, and certbot will configure apache/nginx for you as well.

If your website is already accessible through https, you can test if the renewal process is going to be performed ok with the following

Code: Select all

sudo certbot renew --dry-run
In case you have to renew manually run

Code: Select all

sudo certbot renew
But unless you did something wrong you shouldn't need to renew manually.


Is there any actual reason why you want to backup / copy your certs or just because certbot told you so? :P
codedoneright.eu – newbie friendly raspberry tutorials

User avatar
DougieLawson
Posts: 39626
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: Backing up LetsEncrypt web server certificates and pemchain with proper permissions?

Thu Feb 06, 2020 10:14 am

There's a free backup created by letsencrypt when it does the 90 day update.

Code: Select all

/etc/letsencrypt/archive/example.co.uk# ls -la
total 88
drwxr-xr-x 2 root root 4096 Jan  5 10:54 .
drwx------ 3 root root 4096 Mar  1  2017 ..
-rw-r--r-- 1 root root 2130 Apr 14  2019 cert13.pem
-rw-r--r-- 1 root root 2134 Jun 23  2019 cert14.pem
-rw-r--r-- 1 root root 2130 Aug 27 22:40 cert15.pem
-rw-r--r-- 1 root root 2134 Oct 28 03:19 cert16.pem
-rw-r--r-- 1 root root 2130 Jan  5 10:54 cert17.pem
-rw-r--r-- 1 root root 1647 Apr 14  2019 chain13.pem
-rw-r--r-- 1 root root 1647 Jun 23  2019 chain14.pem
-rw-r--r-- 1 root root 1647 Aug 27 22:40 chain15.pem
-rw-r--r-- 1 root root 1647 Oct 28 03:19 chain16.pem
-rw-r--r-- 1 root root 1647 Jan  5 10:54 chain17.pem
-rw-r--r-- 1 root root 3777 Apr 14  2019 fullchain13.pem
-rw-r--r-- 1 root root 3781 Jun 23  2019 fullchain14.pem
-rw-r--r-- 1 root root 3777 Aug 27 22:40 fullchain15.pem
-rw-r--r-- 1 root root 3781 Oct 28 03:19 fullchain16.pem
-rw-r--r-- 1 root root 3777 Jan  5 10:54 fullchain17.pem
-rw-r--r-- 1 root root 1708 Apr 14  2019 privkey13.pem
-rw-r--r-- 1 root root 1704 Jun 23  2019 privkey14.pem
-rw-r--r-- 1 root root 1704 Aug 27 22:40 privkey15.pem
-rw-r--r-- 1 root root 1704 Oct 28 03:19 privkey16.pem
-rw-r--r-- 1 root root 1704 Jan  5 10:54 privkey17.pem
root@apollo:/etc/letsencrypt/archive/example.co.uk#
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Criticising any questions is banned on this forum.

Any DMs sent on Twitter will be answered next month.
All fake doctors are on my foes list.

Danrancan
Posts: 39
Joined: Wed Jan 15, 2020 4:28 am
Location: Milwaukee, WI, USA
Contact: Website Twitter

Re: Backing up LetsEncrypt web server certificates and pemchain with proper permissions?

Thu Feb 06, 2020 11:59 pm

DougieLawson wrote:
Tue Feb 04, 2020 9:58 pm
Danrancan wrote:
Tue Feb 04, 2020 8:19 pm
Could someone give me some examples of how to back up my lets encrypt certificates and chain (including permissions) to a usb stick? I can't seem to find any good examples or suggestions on google. So hopefully someone knowledgeable here can help. Thanks a ton for any info!
What's the point? They expire every 90 days. They get renewed earlier than the expiry date (from the cron job). You can replace a lost certificate with --force-renewal.
The point is that I am learning, and have a tendency to misconfigure something or screw something up after my certificates are installed. I Sometimes I would like to start from scratch and keep my certificates. Ultimately, the point is to learn. This is not a good proposed solution.
Nerd-Tech - Exploring Technology, Computers, and Techno…
https://github.com/danrancan
dan@nerd-tech.net
https://nerd-tech.net
https://keybase.io/danran/
My Keybase Invite https://keybase.io/inv/5a35010417/

Danrancan
Posts: 39
Joined: Wed Jan 15, 2020 4:28 am
Location: Milwaukee, WI, USA
Contact: Website Twitter

Re: Backing up LetsEncrypt web server certificates and pemchain with proper permissions?

Fri Feb 07, 2020 12:03 am

Skraaj wrote:
Thu Feb 06, 2020 3:21 am
Danrancan wrote: Could someone give me some examples of how to back up my lets encrypt certificates and chain
Sure, but as DougieLawson said there's basically no point. However, if you really, really want to you can. You have to be root in order to do that

Code: Select all

sudo su -
cp * /etc/letsencrypt/live/example.com/ /destination/path/to/where/you/want/to/copy/certs/
Substitute example.com with the folder name where you keep your website, and /destination/path/to/where/you/want/to/copy/certs/ with path where you will keep your backup. Certbot should have told you where they are exactly.

More interesting thing is that you can use those certs in other software that utilizes certs.

This is the default place where certbot stores your certificate files, again, substitute example.com

Code: Select all

/etc/letsencrypt/live/example.com/fullchain.pem
/etc/letsencrypt/live/example.com/privkey.pem
You can just put those paths in config files of soft that uses certs.

If you ever loose your certs due to a new install or a cat ate your SD card then just get a new one. Just keep in mind letsencrypt's rate limits and do not get 10 certificates a day for the next month :P

Code: Select all

sudo certbot --apache
Follow prompts (or --nginx, depending on what you use to host) and you will have a new cert, and certbot will configure apache/nginx for you as well.

If your website is already accessible through https, you can test if the renewal process is going to be performed ok with the following

Code: Select all

sudo certbot renew --dry-run
In case you have to renew manually run

Code: Select all

sudo certbot renew
But unless you did something wrong you shouldn't need to renew manually.


Is there any actual reason why you want to backup / copy your certs or just because certbot told you so? :P
Thank you so so much! This was very helpful! The reasons for wanting to back up are primarily what you mentioned above, as well as the following reasons:

1) To learn, to learn to learn.
2) Incase I misconfigure something badly and need to start from scratch, but want to keep my certs so letsencrypt doesn't put a limit on my csr's.
3) Incase my cat ate my sd card.
4) To learn to learn to learn.

Anyways, thank you so much. this was very helpful!
Nerd-Tech - Exploring Technology, Computers, and Techno…
https://github.com/danrancan
dan@nerd-tech.net
https://nerd-tech.net
https://keybase.io/danran/
My Keybase Invite https://keybase.io/inv/5a35010417/

User avatar
DougieLawson
Posts: 39626
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: Backing up LetsEncrypt web server certificates and pemchain with proper permissions?

Fri Feb 07, 2020 1:28 am

Danrancan wrote:
Thu Feb 06, 2020 11:59 pm
The point is that I am learning, and have a tendency to misconfigure something or screw something up after my certificates are installed. I Sometimes I would like to start from scratch and keep my certificates. Ultimately, the point is to learn. This is not a good proposed solution.
DON'T EVER use sudo. Simple.

If you aren't root you can't muck up your letsencrypt stuff.

Spend your time learning why you don't need root for 99.999% of stuff you're doing on your Raspberry Pi. That will be more productive than worrying about letsencrypt certs.
Note: Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

Criticising any questions is banned on this forum.

Any DMs sent on Twitter will be answered next month.
All fake doctors are on my foes list.

Danrancan
Posts: 39
Joined: Wed Jan 15, 2020 4:28 am
Location: Milwaukee, WI, USA
Contact: Website Twitter

Re: Backing up LetsEncrypt web server certificates and pemchain with proper permissions?

Thu Feb 13, 2020 10:30 pm

DougieLawson wrote:
Fri Feb 07, 2020 1:28 am
Danrancan wrote:
Thu Feb 06, 2020 11:59 pm
The point is that I am learning, and have a tendency to misconfigure something or screw something up after my certificates are installed. I Sometimes I would like to start from scratch and keep my certificates. Ultimately, the point is to learn. This is not a good proposed solution.
DON'T EVER use sudo. Simple.

If you aren't root you can't muck up your letsencrypt stuff.

Spend your time learning why you don't need root for 99.999% of stuff you're doing on your Raspberry Pi. That will be more productive than worrying about letsencrypt certs.

I'm well aware of what sudo and root is. And when building a LEMP server, Sudo, is unfortuately needed a decent amount, especially when modifying nginx configurations with nano or vim. I do not use sudo unless absolutely necessary. Again, not a good answer to the question at hand. Thank you for the input though.
Nerd-Tech - Exploring Technology, Computers, and Techno…
https://github.com/danrancan
dan@nerd-tech.net
https://nerd-tech.net
https://keybase.io/danran/
My Keybase Invite https://keybase.io/inv/5a35010417/

Return to “Networking and servers”