Today I'm changing out my old Ubuntu firewall server with a Debian 9 system. The only concern so far, certbot. And it was a minor challenge.

I did an apt-get install python-certbot-nginx, hit y to install it and all of the dependencies.

I then tar'd up the /etc/letsencrypt directory on the source server.

cd /etc/letsencrypt
tar -cvpf . -f ~/letsencrypt.tar

Copy the letsencrypt.tar file to the target folder and extract it

cd /etc/letsencrypt
scp <user>@<source server>:<path to letsencrypt.tar> letsencrypt.tar
tar -xpvf letsencrypt.tar

Now, test it with certbot renew --nginx --dry-run --force-renewal.

  • Note: I ended up getting an error certbot: error: unrecognized arguments: --max-log-backups 0

    I found that the --max-log-backups was added in a newer version of certbot than what apt-get installed. It installed version 0.10.2. It was added in something like 0.17.0.

    I then tried following the guide at certbot's site. It said to use sudo apt-get install python-certbot-nginx -t stretch-backports.

    Ran that, then got another error saying that E: The value 'python-certbot-nginx' is invalid for APT::Default-Release as such a release is not available in the sources.

    The fix was easy. Add deb http://ftp.us.debian.org/debian stretch-backports main to a new line at the end of /etc/apt/sources.list.

    Then run apt-get update. And re-run the apt-get install python-certbot-nginx -t stretch-backports.

    I now got the actual latest release of certbot, 0.28.0.

For me, the dry-run test got hung up the challenge part. I sort of expected it since I haven't put this new vm in place yet. So, right now, I'm assuming this is good to go.

And that was all there was to it. Everything worked as expected when I downed the old system and put this one in. I even did a force renew just to be sure by running certbot renew --nginx --force-renewal.