Certbot renew dry run successful with no dns entry


#1

Iam running couple of sites with letsencrypt. Now I want to move the sites to a new machine. I will assign the ip of old machine to new machine after migration.

To test if letsencrypt will work properly with new machine, I copied the /etc/letsencrypt (preserving symlinks) from old machine to new machine and all nginx set-up between old and new machine is similar. However I have not yet changed the dns entry of the websites, so dns entry is still pointing to old machine.

Now my question is I ran certbot renew --dry-run on new machine (its ip is still not in dns records) and it passed. How can it pass if ip of new machine is not in dns records? Iam using webroot authentication for one of the sites and nginx for another.


#2

Hi @vishalsevani

did you try a dry-run before on the old server?

If yes: The valide authorization (one per domain name) is 30 days cached. So if you use the same account (per copy), you can use this without a new validation.

-> You’ve got a new certificate.


#3

Thanks for reply Juergen. I did certbot renew --dry-run on old server. So you mean when I copied /etc/letsencrypt from old server to new one, the cached copy of certs also got copied and so certbot renew --dry-run works on new server?

Also is the procedure that Iam using to move certs from old server to new server i.e. copying /etc/letsencrypt (preserving links) correct?

Thanks


#4

It’s not about your copy of your certificates. It’s the copy of your account key and the associated authorization which is stored by Letsencrypt.

Use the same certificate with your old and new server.

Then change your ip address.

If the certificate is < 30 days old, then renew it. It’s not a good idea to test too much things with settings (missing A-record) wich are wrong.

So skip these dry-run tests with your new server if the public ip points to the old server. 30 days are enough.


#5

Thanks Juergen.

After I assign public ip to new server, I intend to run certbot renew --force-renewal once to see if certbot is working properly. Or is there another way to confirm if certbot is working properly?


#6

Use the normal renew if the certificate is less then 30 days valide.


#7

I intend to migrate in couple of days and my certs have more than 50 days validity. However on migration I want to ensure certbot works properly. So I was thinking of running certbot renew --force-renewal to verify certbot works properly.


#8

That sounds fine. Don’t do it often, and especially don’t put --force-renewal in a cron job or something, but doing it once is fine.