Changing VPS, how to not confuse letsencrypt?

Hi

I have VPS1 running domain.com. Using virtualmin I created a let’s encrypt ssl certificate that is renewed automatically every x months and all is good.

Now I want to migrate domain.com to VPS2 (different IP). At first, domain.com will still run on VPS1. After I will finish the setup, I want to switch domain.com to VPS2, for that I will change A record in my domain’s registrar to point to VPS2/new IP.

At what point should I handle lets encrypt?
Can I do that only after the switch or can I setup something before, so switching will be seamless?

VPS1 will be shut down and closed after switching to VPS2.

Thanks

1 Like

It makes best sense (zero downtime) to prepare VPS2 fully before changing the IP of any names.
Otherwise, the IP will point to a system that isn’t prepared and there may be some “downtime”.

To that end, you could copy the entire LE folder from VPS1 to VPS2 along with your web server configs.
That would ensure that VPS2 has the cert(s) needed to serve all the sites securely right from the start.

That said, you would need to ensure that the “copy” brings all the right links and permissions or you may have access permission issues, etc. (problems).

If for whatever reason you can’t “copy” from the VPS1 to VPS2, you can always issue new certs on VPS2 immediately (once DNS is updated to point the IPs to VPS2).

1 Like

Thank you for your reply.

My plan is to prepare VPS2 completely and then go to the registrar and update record A. I don’t remember exactly my steps when issuing letsencrypt on VPS1 but back then I didn’t have any parallel VPS and no worries about downtime :slight_smile:

Files and folders I know how to copy, but what about “your web server configs.” and “ensure “copy” brings all the right links and permissions”?

I understand correctly that if all else fails, I should just wait for the switch to happen and only then issue letsencrypt cert? That means downtime I don’t want so I hope there is a better way.

1 Like

Presuming you will be using TAR to “zip and copy”, things like:
--keep-directory-symlink
-p, --preserve-permissions, --same-permissions
-P, --absolute-names

Whatever you do, you need to compare the files in VPS1 with the copied files in VPS2 (at least visually) before switching the IP in DNS.
[and maybe be prepared to switch the IP back if anything goes really wrong]

1 Like

You did read he used/uses VirtualMin, right? I’m guessing it’s going to be a little bit more difficult than just copy a bunch of files over.

2 Likes

Let’s see if I got it right: In virtualmin I set it to use letsencrypt, it does all the work, create the folder, create the files, create the certs and all is good. I set it for domain.com and www.domain.com even though domain.com is still pointing somewhere else. It should be ok, no? does lets encrypt has to have the domain already within the VPS it is on?

Once I change the IP in the registrar, the domain will move to VPS2 where virtualmin already set the certs of letsencrypt so this should be seemless, no? Am I missing something?

Soon I will need to start the migration and I will have a short period of time to do that, please let me know if I’m missing something with my previous description, specially this parts:

  1. Can I create a certificate on VPS2 for a domain that resides on VPS1?
  2. Assuming I can, changing the A RECORD from VPS1 to VPS2 will make everything work smoothly?

Thanks

Hi @amoss

please read some basics.

Then

1 Like

Thank you for the links.
So I will need to do something (http or dns challenge) to prove I’m the owner but VPS1 will still be active so the challenge will “pass” but it won’t once I’ll do the switch.

If I understood the articles correctly, it means I will have to do the migration only after changing the dns in the registrar to make sure it looks on the “right” server (vps2). My understanding is correct?

1 Like

OK, I read here http://nateserk.com/2019/tech/migrate-letsencrypt-ssl-certificates-to-a-different-server-guide/ and it’s all sound clean and simple, except for one thing: I’m using virtualmin that has its own letsencrypt mechanism for it so I didn’t understand if I should do all the above before or after enabling virtualmin’s mechanism on the new VPS

1 Like

That’s a very good question. I’m not sure the regulars on this forum have (much/any?) experience with Virtualmin. Perhaps it’s a good idea to ask that on a Virtualmin forum?

1 Like

I don’t understand your basic setup.

Every control panel has an option to install a certificate manual.

So copy the two or three certificate files from your old server and import these to your new server.

Then (some days later) switch your ip address.

Then (again some days later) create a new certificate using the new control panel.

PS: Then you don’t have any downtime.

2 Likes

@JuergenAuer that will work assuming

  1. Just copying the files from VPS1 to VPS2 will be enough
  2. The domain is still on VPS1 when copying the files to VPS2 so I don’t know if it will work and if switching the IP will be seamless.
  3. Activating letsencrypt from virtualmin when I already have certs that I put manually, won’t cause a contradiction.

@Osiris - I will try this on virtualmin forum as well.

1 Like

OK, I’m now in the crucial step itself.

VPS1 including virtual server for domain.com with letsencrypt certificate and registrar pointing to it - alive and working.

VPS2 including virtual server for domain.com. While VPS1 is a live, I want to request a certificate for domain.com and www.domain.com.

My only worry is to have any kind of contradiction with VPS1 that is a live production. Will letsencrypt issue a certificate to VPS2->domain.com with no problem?

I’m using virtualmin. I asked there as well but no one is answering and I wonder if I’m the first one ever to be in this situation.

Your question says: You didn’t read the basics.

Please read the shared documents.

Thanks!

1 Like

It simply means I don’t know how virtualmin works regarding the challenges.
In Virtualmin I simply enter the domains to cover and click a button to request the certificate.

OK, it uses the DNS chanllenge so to conclude, I have to change A RECORD and then request the certificate.