I would like to move my web site ( https://eax.me/ ) from shared hosting to DigitalOcean and use Let’s Encrypt instead of my current CA, Thawte. I already used Let’s Encrypt, but only for sites that didn’t have TLS before. It is my understanding that I have to do something like this:
Deploy an unencrypted copy of my website at DO
Edit DNS record
Wait
When the website is moved to DO, configure Let’s Encrypt as usual
The only thing that bothers me in this scenario is that for some time users who find my website in Google will see “Connection refused” since there is no TLS yet.
Is there some way to avoid this situation? Maybe anything else I should consider? E.g. will users see any warning regarding sudden certificate change?
this isn't a good idea. You would break your current https.
One option: There are "pure online clients". So if you can create (current hosting) a directory /.well-known/acme-challenge/ and save a file (given from the online client), you can create a certificate with your current hosting environment. Then you can install a webserver, install this certificate and copy the content.
Second option: Do you have the private key of your current certificate? Then you can use the old certificate with your new hosting and create a Letsencrypt certificate later.
The connection refused... Looks like an port issue rather than certificate issues...
That's why you should make sure certificates and server are well-prepared, then officially change the DNS records
Like @JuergenAuer's response,
I personally think the best steps are:
Copy all contents from the shared hosting to digital ocean machine
Setup virtual hosts for http & https version. (Test it in the subnet, or use domains like 'beta.eax.me')
Change DNS records
Wait for 1 minutes and apply let's encrypt certificate (as backup, you could use the thawte certificate until it expired... If you hold the private key & public key)