Best way to *move* domain (& it's cert) to new server?


#1

Hi All,

I’ve successfully configured LE (using Certbot) on a few of our internal servers, but now I’ve been tasked with moving one ‘demo’ domain from our test environment to a more accessible server. The ‘source’/‘origin’ server also has a 2nd domain which also utilizes LetsEncrypt, so I believe that I need to ‘split’ the two domains apart, so that the 2nd domain is still active with LE - is that correct?

The domain info (hostname, config, etc.) for the ‘demo’ domain will remain the same, it just needs to live on a different system. I’ve spent a good part of the morning looking to see if it’s possible to “transfer” a LetsEncrypt setting to another host, but no luck so far.

Failing that, it appears that the next-best way to move the domain would be to delete the certificate & configuration for the demo domain & then re-create it on the new server, but I’d like to confirm that there’s not a better (or “more correct”) alternate method first.

Thank you, I appreciate any help/pointers.


#2

Hi @TBoneJones,

But do you have 1 cert covering both domains or you just have 2 certificates, 1 for each domain?

If you have 1 certificate covering both domains, yes, I will issue a new cert for the demo domain in the new machine and a new one for the second domain on the origin machine and will remove the old certificate covering both domains.

If you already have 2 different certificates then you can install certbot on the new machine copy the entire /etc/letsencrypt/ dir from the origin machine to the new machine and use certbot delete to remove the second domain on the new machine so you left only the demo domain and do the same but this time on origin machine, use certbot delete to remove the demo domain and you are done. If you use this way, keep in mind that both domains will use the same Let’s Encrypt account, there should be no problem but it is important because both domains will receive expiration mails in the email you used to register it in the origin server the first time.

Anyway, I don’t think there is a “correct” method, simply use the best option for you and your environment.

Note: before using certbot delete double check you have a backup of /etc/letsencrypt/ dir… just in case ;).

Good luck,
sahsanu


#3

Thank you @sahsanu for the great response. The output of certbot certificates shows the following (edited to remove specific domain name), so I’m fairly certain that we have two certificates:

-------------------------------------------------------------------------------
Found the following certs:
  Certificate Name: www.stage.bogustestdomain.com
    Domains: www.stage.bogustestdomain.com,www.testtrack.bogustestdomain.com
    Expiry Date: 2018-06-19 07:30:40+00:00 (VALID: 84 days)
    Certificate Path: /etc/letsencrypt/live/www.stage.bogustestdomain.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.stage.bogustestdomain.com/privkey.pem
  Certificate Name: www.demo.bogustestdomain.com
    Domains: demo.bogustestdomain.com,www.demo.bogustestdomain.com
    Expiry Date: 2018-06-18 07:30:38+00:00 (VALID: 83 days)
    Certificate Path: /etc/letsencrypt/live/www.demo.bogustestdomain.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.demo.bogustestdomain.com/privkey.pem
-------------------------------------------------------------------------------

Unless you see something that suggests that I do otherwise, I will use the ‘copy & certbot delete’ process that you outlined as the 2nd method in your message. Thanks again!


#4

@TBoneJones, yes you have 2 certs so go ahead with the copy & certbot delete way :wink:

One more thing, with copy I mean use whatever you want but keep in mind that inside /etc/letsencrypt/ there are a few symbolic links that you should preserve and depending on the method used, those symbolic links could be lost or converted to regular files (tar command is your friend) :slight_smile:


#5

Outstanding, that would have been easy to overlook, so I definitely appreciate your suggestions/advice, I will make sure to pay attention to that as I make the transition. Thanks again! :+1:


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.