Migration of certs already created with original client.

[kevin-lot]

Question :
I have some certs on a server created with original client.
I switched to docker and docker-compose, I would like to use letsencryt-companion with old certs.

Can I copy old certs then how can I do in order that companion use them directly ?

Best regards.

[buchdag]

Hi @kevin-lot

By original client, do you mean certbot or simp_le ?

[kevin-lot]

I mean certbot.

[buchdag]

Let say you have a certificate for www.example.tld obtained with certbot on the same machine where you are running docker and nginx-proxy + the LE companion, and your LE companion container is named your-le-container.

First, create the /etc/nginx/certs/www.example.tld folder inside your docker volume for certificates:

docker exec your-le-container mkdir -p /etc/nginx/certs/www.example.tld

Then copy the existing certificate, chain, full chain and private key inside this folder with the correct names (only the private key has a different name between certbot and simp_le):

sudo docker cp -L /etc/letsencrypt/live/www.example.tld/cert.pem your-le-container:/etc/nginx/certs/www.example.tld/
sudo docker cp -L /etc/letsencrypt/live/www.example.tld/chain.pem your-le-container:/etc/nginx/certs/www.example.tld/
sudo docker cp -L /etc/letsencrypt/live/www.example.tld/fullchain.pem your-le-container:/etc/nginx/certs/www.example.tld/
sudo docker cp -L /etc/letsencrypt/live/www.example.tld/privkey.pem your-le-container:/etc/nginx/certs/www.example.tld/key.pem

sudo will probably be necessary because the folders inside /etc/letsencrypt/live aren't world readable. Don't forget the -L flag to docker cp or you'll end up copying the symlinks rather than the actual files.

Then create your proxyed service with VIRTUAL_HOST and LETSENCRYPT_HOST both set to www.example.tld as you would normaly do. If the certificate is still valid for more than 30 days, the container will use the existing files you just copied into it.

If the certificate is a SAN certificate, be sure to put the name of the folder you created inside /etc/nginx/certs first in the LETSENCRYPT_HOST environment variable.

Example: you have a SAN certificate covering example.tld, www.example.tld and whatever.tld inside /etc/letsencrypt/live/example.tld. Create the /etx/nginx/certs/example.tld folder inside the container, copy the files, then put example.tld first inside the LETSENCRYPT_HOST environment variable of the proxyed container (so either LETSENCRYPT_HOST=example.com,www.example.com,whatever.tld or LETSENCRYPT_HOST=example.com,whatever.tld,www.example.com)

Let me know if something is unclear.

[Flugpanda]

Hi there.

I tried to migrate my via certbot created certs from my old home server to a new machine. Therefore I performed the above mentioned steps, but my attempts always result in the error listed below.

16:34:29,720:INFO:simp_le:360: Saving account_key.json,
Traceback (most recent call last):,
  File "/usr/lib/python2.7/site-packages/simp_le.py", line 1584, in main,
    return main_with_exceptions(cli_args),
  File "/usr/lib/python2.7/site-packages/simp_le.py", line 1567, in main_with_exceptions,
    persist_new_data(args, existing_data),
  File "/usr/lib/python2.7/site-packages/simp_le.py", line 1489, in persist_new_data,
    account_key=client.key, key=None, cert=None, chain=None)),
  File "/usr/lib/python2.7/site-packages/simp_le.py", line 1195, in persist_data,
    plugin.save(new_data),
  File "/usr/lib/python2.7/site-packages/simp_le.py", line 493, in save,
    key = self.dump_key(data.key),
  File "/usr/lib/python2.7/site-packages/simp_le.py", line 436, in dump_key,
    return OpenSSL.crypto.dump_privatekey(self.typ, data.wrapped).strip(),
AttributeError: 'NoneType' object has no attribute 'wrapped',
,
Unhandled error has happened, traceback is above

Basicaly I used the examples of Evert Ramos to setup nginx, nginx-gen, nginx-letsencrypt, mariadb and nextcloud. I just changed the .env files and ket the docker.compose.yml's untouched. Afterwords I copied the certs to the volume of nginx-letsencrypt, so that my setup of my certs on the new machine looks something like this.

[root@rancher]─[/mnt/zfs/nginx-proxy/data/certs/cloud.mydomain.com]
#ls -la
total 19
drwxr-xr-x    2 rancher  root             6 Jan 23 16:29 .
drwxr-xr-x    3 rancher  root             3 Jan 23 16:27 ..
-rw-r--r--    1 rancher  root          2033 Jan 18 12:08 cert.pem
-rw-r--r--    1 rancher  root          1647 Jan 18 12:08 chain.pem
-rw-r--r--    1 rancher  root          3680 Jan 18 12:08 fullchain.pem
-rw-r--r--    1 rancher  root          1704 Jan 18 12:08 key.pem

After all, I can't get nginx-letsencrypt to work properly.
So please let me know if I missed out on something from your explanation.

Kind regards.

[buchdag]

I don't know what you might have missed, I just tried using the exact same method and it just worked.

Are you sure your certificate is an RSA cert ? simp_le does not handle ECDSA certificates at the moment.

Are you certain your files were copied correctly ? Are they readable with openssl (openssl rsa -in key.pem -noout -text for the private key and openssl x509 -in file_name -noout -text for cert.pem, chain.pem and fullchain.pem -don't post the output here, just check on your host-) ?

Note that I won't be able to provide much more support if you use Evert Ramos examples.