I have VPS1 running domain.com. Using virtualmin I created a let’s encrypt ssl certificate that is renewed automatically every x months and all is good.
Now I want to migrate domain.com to VPS2 (different IP). At first, domain.com will still run on VPS1. After I will finish the setup, I want to switch domain.com to VPS2, for that I will change A record in my domain’s registrar to point to VPS2/new IP.
At what point should I handle lets encrypt?
Can I do that only after the switch or can I setup something before, so switching will be seamless?
VPS1 will be shut down and closed after switching to VPS2.
It makes best sense (zero downtime) to prepare VPS2 fully before changing the IP of any names.
Otherwise, the IP will point to a system that isn’t prepared and there may be some “downtime”.
To that end, you could copy the entire LE folder from VPS1 to VPS2 along with your web server configs.
That would ensure that VPS2 has the cert(s) needed to serve all the sites securely right from the start.
That said, you would need to ensure that the “copy” brings all the right links and permissions or you may have access permission issues, etc. (problems).
If for whatever reason you can’t “copy” from the VPS1 to VPS2, you can always issue new certs on VPS2 immediately (once DNS is updated to point the IPs to VPS2).
My plan is to prepare VPS2 completely and then go to the registrar and update record A. I don’t remember exactly my steps when issuing letsencrypt on VPS1 but back then I didn’t have any parallel VPS and no worries about downtime
Files and folders I know how to copy, but what about “your web server configs.” and “ensure “copy” brings all the right links and permissions”?
I understand correctly that if all else fails, I should just wait for the switch to happen and only then issue letsencrypt cert? That means downtime I don’t want so I hope there is a better way.
Presuming you will be using TAR to "zip and copy", things like: --keep-directory-symlink -p, --preserve-permissions, --same-permissions -P, --absolute-names
Whatever you do, you need to compare the files in VPS1 with the copied files in VPS2 (at least visually) before switching the IP in DNS.
[and maybe be prepared to switch the IP back if anything goes really wrong]
Let’s see if I got it right: In virtualmin I set it to use letsencrypt, it does all the work, create the folder, create the files, create the certs and all is good. I set it for domain.com and www.domain.com even though domain.com is still pointing somewhere else. It should be ok, no? does lets encrypt has to have the domain already within the VPS it is on?
Once I change the IP in the registrar, the domain will move to VPS2 where virtualmin already set the certs of letsencrypt so this should be seemless, no? Am I missing something?
Soon I will need to start the migration and I will have a short period of time to do that, please let me know if I’m missing something with my previous description, specially this parts:
Can I create a certificate on VPS2 for a domain that resides on VPS1?
Assuming I can, changing the A RECORD from VPS1 to VPS2 will make everything work smoothly?
Thank you for the links.
So I will need to do something (http or dns challenge) to prove I’m the owner but VPS1 will still be active so the challenge will “pass” but it won’t once I’ll do the switch.
If I understood the articles correctly, it means I will have to do the migration only after changing the dns in the registrar to make sure it looks on the “right” server (vps2). My understanding is correct?
That’s a very good question. I’m not sure the regulars on this forum have (much/any?) experience with Virtualmin. Perhaps it’s a good idea to ask that on a Virtualmin forum?
My only worry is to have any kind of contradiction with VPS1 that is a live production. Will letsencrypt issue a certificate to VPS2->domain.com with no problem?
I’m using virtualmin. I asked there as well but no one is answering and I wonder if I’m the first one ever to be in this situation.
It simply means I don’t know how virtualmin works regarding the challenges.
In Virtualmin I simply enter the domains to cover and click a button to request the certificate.
OK, it uses the DNS chanllenge so to conclude, I have to change A RECORD and then request the certificate.
