I have a server (Server A) with lets encrypt generating certs and all working ok.
All sites are already HTTPS
I plan on moving some of the sites on that machine to a new server (Server B)
I do not see how to generate the new certs for Server B until I re-direct the DNS records but I do not want to re-direct the DNS until I have new certs in place.
Unless I am missing something, I am stuck.
Can anyone advise how to get the new cert in place without changing DNS?
I am interested also to know the correct procedure to do this. We are moving our server which have Let’s Encrypt cert and I would like to know how to move the cert or create a new one as well.
As you hopefully have noticed, the certificates are issued for DNS names and don’t care about any other identifiers for the server / service beyond the DNS name.
So, certificates you generate on Server A will still be valid for the names listed in them once the actual server offering those names is Server B. You’ve mentioned you only want to move some sites, so it will make sense (if you haven’t already) to ensure the sites that will move are named in separate certificates from any sites which won’t move, that way any particular certificate either is or is not wholly for names going to server B. It’s not essential to do this, but it makes it easier to understand what’s going on.
Once they’re separate this way, you can copy/ move a certificate and the associated private key file to Server B and use it from there to prove the identify of the site now on server B. If you do it by copying then during a brief transition period (depending on how well managed the DNS servers are it could be 5 minutes or a day) you can serve the same site from Server A and Server B (obviously that’s no good if it’s a web forum or something, but it’s fine for passive information type sites) for customers whose DNS takes a while longer to notice your change.
The private key file, as its name implies, is private, don’t show anybody that – even Let’s Encrypt doesn’t know what’s inside that, copy it securely to Server B and once you’re sure you no longer need it on Server A destroy any copy left there. Other files are not secret, and can be treated like other data from your web site, to be moved however makes sense to you.
This approach gets you working on Day 1, which lets you set things up to use Let’s Encrypt for new certificates on Server B in the weeks after that before the current certificate expires, and after you’ve settled into the new server.
If you already have it set up, DNS-01 validation is perfect. Since it works by setting a TXT record for _acme-challenge.www.example.com, it never matters what the A or AAAA records are, or if they even exist at all.
If you prefer HTTP-01, you can make the old web server redirect the ACME challenge HTTP requests to the new server, without redirecting any other requests. For example, in Nginx:
(This would prevent the old server from being able to renew its certificate, but that’s not a problem in the short term. And, with a slightly more complicated configuration, you can allow both to continue renewing.)
Ultimately, as a temporary measure while migrating the sites, you don’t really need the certificate process to be automated or clean. You could use something like Certbot’s manual mode, or https://zerossl.com/, and create a DNS-01 record or an HTTP-01 challenge file (on the old server) by hand, or just scp the certificate and private key from the old server to the new one, and then automate everything smoothly after the migration.
A) What is the web server you are using and what is your current configurations (do you for example redirect HTTP to HTTPS)
B) Have you already obtained the certificates for the domains you are trying to migrate and if so it should be a simple matter of transferring the /etc/letsencrypt/ and var/log/letsencrypt directories on to you new server. /etc/letsencrypt is where the relevant files for certbot are
C) How are you actually obtaining new certificates (what command are you using)
D) What version of certbot are you using and are you planning on using the same version on both (this will affect the migration)
E) Are the domains you are migrating currently being served on by the server you are migrating from
So overall I think there are fundamentals details missing which would make a meaningful answer possible.
There is no official process for migrating certbot from one server to another (for example a --backup switch) so you can create a request for this functionality and for now just copying the relevant folders to a new server is how most people hand a migration.