🎯 Objective
Let’s Encrypt is one of the most popular free CAs that simplifies web security by providing automatic SSL certificates. However, in case of system crashes, VPS changes, or misconfigurations, knowing how to back up and restore manually is crucial.
1️⃣ Let’s Encrypt Directory Structure
| Path | Description |
|---|---|
/etc/letsencrypt/ |
General settings and configuration files |
/etc/letsencrypt/live/ |
Active (symlinked) certificates |
/etc/letsencrypt/archive/ |
All historical certificate and key files |
/etc/letsencrypt/renewal/ |
Renewal .conf files (one per domain) |
2️⃣ Full Certificate Backup (Entire System)
#!/bin/bash
set -e
BACKUP_DIR="/root/letsencrypt-backups"
mkdir -p "$BACKUP_DIR"
TIMESTAMP=$(date +%Y%m%d-%H%M%S)
FILENAME="letsencrypt-$TIMESTAMP.tar.gz"
tar -czf "$BACKUP_DIR/$FILENAME" /etc/letsencrypt
echo "✔ Backup completed: $BACKUP_DIR/$FILENAME"3️⃣ Backup for Specific Domain Only
DOMAIN="example.com"
tar -czf letsencrypt-$DOMAIN.tar.gz \
/etc/letsencrypt/live/$DOMAIN \
/etc/letsencrypt/archive/$DOMAIN \
/etc/letsencrypt/renewal/$DOMAIN.conf4️⃣ Restore Process (to New Server)
scp letsencrypt-*.tar.gz root@192.168.1.20:/root/
tar -xzf letsencrypt-*.tar.gz -C /
chown -R root:root /etc/letsencrypt
chmod -R 750 /etc/letsencrypt
systemctl restart nginx
certbot certificates5️⃣ Verify Certbot Renewal Automation
systemctl list-timers | grep certbot
systemctl enable --now certbot.timer6️⃣ Encrypt Backups with GPG (Optional)
gpg -c /root/letsencrypt-backups/letsencrypt-20251014.tar.gz7️⃣ Automatic Cloud Backup via AWS S3 or Google Drive (Optional)
rclone copy $ARCHIVE remote:letsencrypt-backups/8️⃣ DNS Challenge (Using acme.sh – Alternative Method)
curl https://get.acme.sh | sh
~/.acme.sh/acme.sh --issue --dns dns_cf -d "hmyn.net" -d "*.hmyn.net"🔚 Conclusion
Even though Let’s Encrypt works automatically in most cases, every system administrator must be able to manually back up and restore certificate files when needed.